Headline
GHSA-3x3f-jcp3-g22j: @backstage/plugin-catalog-backend Prototype Pollution vulnerability
Impact
A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.
Patches
This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.
References
If you have any questions or comments about this advisory:
Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-45815
@backstage/plugin-catalog-backend Prototype Pollution vulnerability
Moderate severity GitHub Reviewed Published Sep 17, 2024 in backstage/backstage • Updated Sep 17, 2024
Package
npm @backstage/plugin-catalog-backend (npm)
Affected versions
< 1.26.0
Impact
A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.
Patches
This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.
References
If you have any questions or comments about this advisory:
Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README
References
- GHSA-3x3f-jcp3-g22j
Published to the GitHub Advisory Database
Sep 17, 2024
Last updated
Sep 17, 2024