CVE-2024-26150

Description

### Impact Paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. ### Patches Patched in `@backstage/backend-common` version `0.21.1`. Patched in `@backstage/backend-common` version `0.20.2`. Patched in `@backstage/backend-common` version `0.19.10`. ### For more information If you have any questions or comments about this advisory: - Open an issue in the [Backstage repository](https://github.com/backstage/backstage) - Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)

How to fix CVE-2024-26150

To remediate CVE-2024-26150, upgrade the affected package to a fixed version below.

• —upgrade to 0.21.1 or later

Is CVE-2024-26150 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 0.21.0, < 0.21.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-26150
• PATCHgithub.com/backstage/backstage
• WEBgithub.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f
• WEBgithub.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717