Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Metrics
Affected Vendors & Products
References
History
Mon, 23 Sep 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Backstage
Backstage backstage |
|
CPEs | cpe:2.3:a:backstage:backstage:*:*:*:*:*:*:*:* | |
Vendors & Products |
Backstage
Backstage backstage |
Wed, 18 Sep 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 18 Sep 2024 01:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Tue, 17 Sep 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |
Title | Prototype pollution in @backstage/plugin-catalog-backend | |
Weaknesses | CWE-1321 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-17T20:14:31.104Z
Updated: 2024-09-18T14:49:10.507Z
Reserved: 2024-09-09T14:23:07.506Z
Link: CVE-2024-45815
Vulnrichment
Updated: 2024-09-18T14:49:06.483Z
NVD
Status : Analyzed
Published: 2024-09-17T21:15:12.320
Modified: 2024-09-23T18:31:37.277
Link: CVE-2024-45815
Redhat