{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26150", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-14T17:40:03.690Z", "datePublished": "2024-02-23T15:46:35.731Z", "dateUpdated": "2024-08-01T23:59:32.589Z"}, "containers": {"cna": {"title": "`@backstage/backend-common` vulnerable to path traversal through symlinks", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}, {"name": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"name": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"name": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "= 0.21.0", "status": "affected"}, {"version": "< 0.19.10", "status": "affected"}, {"version": ">= 0.20.0, < 0.20.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-23T15:46:35.731Z"}, "descriptions": [{"lang": "en", "value": "`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10."}], "source": {"advisory": "GHSA-2fc9-xpp8-2g9h", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-23T22:34:48.476857Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:48:21.482Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:59:32.589Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}, {"name": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"name": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"name": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26150", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-14T17:40:03.690Z", "datePublished": "2024-02-23T15:46:35.731Z", "dateUpdated": "2024-06-04T17:48:21.482Z"}, "containers": {"cna": {"title": "`@backstage/backend-common` vulnerable to path traversal through symlinks", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}, {"name": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"name": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"name": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "= 0.21.0", "status": "affected"}, {"version": "< 0.19.10", "status": "affected"}, {"version": ">= 0.20.0, < 0.20.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-23T15:46:35.731Z"}, "descriptions": [{"lang": "en", "value": "`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10."}], "source": {"advisory": "GHSA-2fc9-xpp8-2g9h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-23T22:34:48.476857Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:13.186Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage_backend-common:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9535A5B5-0A1C-43EB-9B33-DD2A915768F4", "versionEndExcluding": "0.19.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:backstage_backend-common:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D311CF67-703E-463A-AE95-6806241E0C54", "versionEndExcluding": "0.20.2", "versionStartIncluding": "0.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:backstage_backend-common:0.21.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "83796E3D-719E-4B94-94F3-FC34973CF0ED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10."}, {"lang": "es", "value": "`@backstage/backend-common` es una librer\u00eda de funcionalidad com\u00fan para backends de Backstage, una plataforma abierta para crear portales de desarrolladores. En `@backstage/backend-common` anterior a las versiones 0.21.1, 0.20.2 y 0.19.10, las comprobaciones de rutas con la utilidad `resolveSafeChildPath` no eran lo suficientemente exhaustivas, lo que generaba riesgo de vulnerabilidades de path traversal si se pod\u00edan inyectar enlaces simb\u00f3licos. por los atacantes. Este problema se solucion\u00f3 en las versiones `@backstage/backend-common` 0.21.1, 0.20.2 y 0.19.10."}], "id": "CVE-2024-26150", "lastModified": "2025-02-05T21:36:57.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-23T16:15:48.570", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "backstage/backend-common: path traversal through symlinks", "id": "2272112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272112"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10.", "A flaw was found in the backstage/backend-common package. Path checks with the \"resolveSafeChildPath\" utility were not exhaustive enough, leading to the risk of a path traversal vulnerability if symlinks are injected by attackers."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-26150", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Will not fix", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-02-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26150\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26150"], "statement": "RHDH actions do not use symlinks and would not be exposed. There is a small chance that customers can use 3rd party software templates that use symlinks but it's a low risk and to our knowledge, none of our customers are going into production with 1.0. If they had intentions to, we would advise them to use 1.1 which is patched already.\nSince 1.0 is in maintenance mode, our decision is aligned with our lifecycle policy to only backport critical and important CVEs. So marking as would not fix.", "threat_severity": "Moderate"}