GMS-2022-2231: Path traversal for local publishers in TechDocs backend

June 17, 2022

A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local.

References

github.com/advisories/GHSA-4jqc-jvh2-pxg9
github.com/backstage/backstage/commit/429c9f9daa5654dd1b996aa85f7264eb23a2e4fa
github.com/backstage/backstage/security/advisories/GHSA-4jqc-jvh2-pxg9

Detect and mitigate GMS-2022-2231 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →