Home > Vulnerability Database > WS-2022-0154

Mend.io Vulnerability Database

WS-2022-0154

Good to know:

Date: November 3, 2024

In backstage plugin-techdocs-node before 1.1.2 and backstage techdocs-common before 0.11.16, a malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local.

Language: TYPE_SCRIPT

Severity Score

5.3

Related Resources (4)

Url: https://github.com/backstage/backstage/security/advisories/GHSA-4jqc-jvh2-pxg9

Url: https://github.com/backstage/backstage

Url: https://github.com/backstage/backstage/commit/429c9f9daa5654dd1b996aa85f7264eb23a2e4fa

Url: https://www.mend.io/vulnerability-database/WS-2022-0154

Severity Score

5.3

Weakness Type (CWE)

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version @backstage/plugin-techdocs-node - 1.1.2; @backstage/techdocs-common - 0.11.16

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2022-0154

Good to know:

Date: November 3, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?