CVE-2024-26150: `@backstage/backend-common` vulnerable to path traversal through symlinks
Impact
Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.
Patches
Patched in @backstage/backend-common version 0.21.1.
Patched in @backstage/backend-common version 0.20.2.
Patched in @backstage/backend-common version 0.19.10.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Backstage repository
- Visit our Discord, linked to in Backstage README
References
- github.com/advisories/GHSA-2fc9-xpp8-2g9h
- github.com/backstage/backstage
- github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f
- github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717
- github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871
- github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h
- nvd.nist.gov/vuln/detail/CVE-2024-26150
Detect and mitigate CVE-2024-26150 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →