CVE-2024-26150 - OpenCVE

`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f
https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717
https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871
https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h
https://nvd.nist.gov/vuln/detail/CVE-2024-26150
https://www.cve.org/CVERecord?id=CVE-2024-26150

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-23T15:46:35.731Z

Updated: 2024-08-01T23:59:32.589Z

Reserved: 2024-02-14T17:40:03.690Z

Link: CVE-2024-26150

Vulnrichment

Updated: 2024-05-23T19:01:13.186Z

NVD

Status : Awaiting Analysis

Published: 2024-02-23T16:15:48.570

Modified: 2024-02-23T19:31:25.817

Link: CVE-2024-26150

Redhat

Severity : Moderate

Publid Date: 2024-02-23T00:00:00Z

Links: CVE-2024-26150 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26150", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-14T17:40:03.690Z", "datePublished": "2024-02-23T15:46:35.731Z", "dateUpdated": "2024-08-01T23:59:32.589Z"}, "containers": {"cna": {"title": "`@backstage/backend-common` vulnerable to path traversal through symlinks", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}, {"name": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"name": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"name": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "= 0.21.0", "status": "affected"}, {"version": "< 0.19.10", "status": "affected"}, {"version": ">= 0.20.0, < 0.20.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-23T15:46:35.731Z"}, "descriptions": [{"lang": "en", "value": "`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10."}], "source": {"advisory": "GHSA-2fc9-xpp8-2g9h", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-23T22:34:48.476857Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:48:21.482Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:59:32.589Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}, {"name": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"name": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"name": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26150", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-14T17:40:03.690Z", "datePublished": "2024-02-23T15:46:35.731Z", "dateUpdated": "2024-06-04T17:48:21.482Z"}, "containers": {"cna": {"title": "`@backstage/backend-common` vulnerable to path traversal through symlinks", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}, {"name": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"name": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"name": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "= 0.21.0", "status": "affected"}, {"version": "< 0.19.10", "status": "affected"}, {"version": ">= 0.20.0, < 0.20.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-23T15:46:35.731Z"}, "descriptions": [{"lang": "en", "value": "`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10."}], "source": {"advisory": "GHSA-2fc9-xpp8-2g9h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-23T22:34:48.476857Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:13.186Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10."}, {"lang": "es", "value": "`@backstage/backend-common` es una librer\u00eda de funcionalidad com\u00fan para backends de Backstage, una plataforma abierta para crear portales de desarrolladores. En `@backstage/backend-common` anterior a las versiones 0.21.1, 0.20.2 y 0.19.10, las comprobaciones de rutas con la utilidad `resolveSafeChildPath` no eran lo suficientemente exhaustivas, lo que generaba riesgo de vulnerabilidades de path traversal si se pod\u00edan inyectar enlaces simb\u00f3licos. por los atacantes. Este problema se solucion\u00f3 en las versiones `@backstage/backend-common` 0.21.1, 0.20.2 y 0.19.10."}], "id": "CVE-2024-26150", "lastModified": "2024-02-23T19:31:25.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-23T16:15:48.570", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f"}, {"source": "security-advisories@github.com", "url": "https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717"}, {"source": "security-advisories@github.com", "url": "https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871"}, {"source": "security-advisories@github.com", "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "backstage/backend-common: path traversal through symlinks", "id": "2272112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272112"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10.", "A flaw was found in the backstage/backend-common package. Path checks with the \"resolveSafeChildPath\" utility were not exhaustive enough, leading to the risk of a path traversal vulnerability if symlinks are injected by attackers."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-26150", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Will not fix", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-02-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26150\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26150"], "statement": "RHDH actions do not use symlinks and would not be exposed. There is a small chance that customers can use 3rd party software templates that use symlinks but it's a low risk and to our knowledge, none of our customers are going into production with 1.0. If they had intentions to, we would advise them to use 1.1 which is patched already.\nSince 1.0 is in maintenance mode, our decision is aligned with our lifecycle policy to only backport critical and important CVEs. So marking as would not fix.", "threat_severity": "Moderate", "upstream_fix": "backstage/backend-common 0.21.1, backstage/backend-common 0.19.10, backstage/backend common0.20.2"}