Path traversal for local publishers in TechDocs backend
Moderate severity
GitHub Reviewed
Published
Jun 14, 2022
in
backstage/backstage
•
Updated Jan 12, 2023
Description
Published to the GitHub Advisory Database
Jun 17, 2022
Reviewed
Jun 17, 2022
Last updated
Jan 12, 2023
Impact
A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when
techdocs.publisher.type
is set tolocal
.This vulnerability is mitigated by the fact that the Software Catalog must be configured with non-standard field format validators and/or non-standard entity policies.
Patches
Those affected are advised to upgrade to
@backstage/plugin-techdocs-node
version1.1.2
or higher.Workarounds
If patching or upgrading is not possible, it would be sufficient to update any custom Catalog field format validators and/or custom entity policies to disallow entity names, kinds, and namespaces containing
..
For more information
If you have any questions or comments about this advisory:
References