Plattform
nodejs
Komponente
@backstage/backend-common
Behoben in
0.21.1
0.19.11
0.20.1
CVE-2024-26150 describes a Path Traversal vulnerability discovered in @backstage/backend-common, a library used in Backstage developer portals. This flaw arises from inadequate path validation within the resolveSafeChildPath utility, allowing attackers to potentially access sensitive files through symlink manipulation. The vulnerability impacts versions 0.20.0 and below, as well as versions prior to 0.20.2. A fix is available in version 0.21.1.
An attacker exploiting this vulnerability could leverage symlinks to traverse outside the intended directory structure and access arbitrary files on the server. This could include sensitive configuration files, source code, or even system files, depending on the server's permissions and the attacker's ability to inject symlinks. Successful exploitation could lead to information disclosure, privilege escalation, or even remote code execution if the accessed files contain executable code or are used in a vulnerable process. The potential impact is significant, especially in environments where Backstage is used to manage critical developer tools and infrastructure.
This vulnerability was publicly disclosed on February 23, 2024. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The relatively recent disclosure and lack of public exploits suggest a low to medium probability of near-term exploitation, but proactive mitigation is still recommended.
Organizations using Backstage developer portals and relying on @backstage/backend-common are at risk. This includes teams managing developer tools, infrastructure, and internal applications. Shared hosting environments where multiple Backstage instances share the same server are particularly vulnerable, as a compromise of one instance could potentially lead to the compromise of others.
• nodejs / server:
find /path/to/node_modules/@backstage/backend-common -type f -name 'resolveSafeChildPath.js' -print0 | xargs -0 grep -i 'path.resolve'• nodejs / server:
npm list @backstage/backend-common• generic web: Inspect web server access logs for requests containing unusual path patterns or attempts to traverse directories using '..' sequences.
disclosure
Exploit-Status
EPSS
0.50% (66% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade @backstage/backend-common to version 0.21.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter file access controls on the server to limit the potential damage from a successful attack. Review and restrict symlink creation permissions within the application and its environment. Implement a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious path patterns or symlink attempts. After upgrading, verify the fix by attempting to access files outside the intended directory using a crafted URL containing symlink references; access should be denied.
Actualice el paquete `@backstage/backend-common` a la versión 0.21.1, 0.20.2 o 0.19.10 o superior. Esto corrige la vulnerabilidad de path traversal causada por la manipulación de symlinks. Ejecute `npm install @backstage/backend-common@latest` o `yarn upgrade @backstage/backend-common@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-26150 is a HIGH severity Path Traversal vulnerability affecting @backstage/backend-common versions ≤0.20.0 and <0.20.2. Insufficient path checks allow symlink injection, potentially enabling unauthorized file access.
You are affected if you are using @backstage/backend-common versions 0.20.0 or below, or versions prior to 0.20.2. Check your project dependencies to determine if you are vulnerable.
Upgrade to @backstage/backend-common version 0.21.1 or later. If upgrading is not immediately possible, implement stricter file access controls and input validation.
While no active exploitation campaigns have been publicly reported, the vulnerability is publicly known and a proof-of-concept may be available, increasing the risk of opportunistic attacks.
Refer to the Backstage security advisories and the NVD entry for CVE-2024-26150 for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.