GHSA-pgf8-28gg-vpr6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pgf8-28gg-vpr6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-pgf8-28gg-vpr6/GHSA-pgf8-28gg-vpr6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pgf8-28gg-vpr6
- Aliases
- Related
- Published
- 2021-06-04T19:09:20Z
- Modified
- 2023-11-08T04:05:55.975688Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Path traversal
- Details
-
Impact
A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for
docs_dirinmkdocs.yml. These files would then be available over the TechDocs backend API.This vulnerability is mitigated by the fact that an attacker would need access to modify the
mkdocs.ymlin the documentation source code, and would also need access to the TechDocs backend API.Patches
The vulnerability is patched in the
0.6.3release of@backstage/techdocs-common.For more information
If you have any questions or comments about this advisory:
- Open an issue in the Backstage repository
- Visit our chat, linked to in Backstage README
- Database specific
{ "nvd_published_at": "2021-06-03T22:15:00Z", "github_reviewed_at": "2021-06-03T22:01:05Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-22" ] }- References
Affected packages
npm / @backstage/techdocs-common
Package
- Name
- @backstage/techdocs-common
- View open source insights on deps.dev
- Purl
- pkg:npm/%40backstage/techdocs-common