CVE-2021-32662

Published: Jun 3, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In `@backstage/techdocs-common` versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for `docs_dir` in `mkdocs.yml`. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that an attacker would need access to modify the `mkdocs.yml` in the documentation source code, and would also need access to the TechDocs backend API. The vulnerability is patched in the `0.6.3` release of `@backstage/techdocs-common`.

Vendor	Product	Versions
backstage	backstage	affected `< 0.6.3`

Weaknesses (CWE)

CWE-22

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6

x_refsource_CONFIRM

https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208

x_refsource_MISC

https://github.com/backstage/backstage/releases/tag/release-2021-05-27

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-32662

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References