Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-3x3f-jcp3-g22j: @backstage/plugin-catalog-backend Prototype Pollution vulnerability

Impact

A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.

Patches

This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README

ghsa
#vulnerability#nodejs#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-45815

@backstage/plugin-catalog-backend Prototype Pollution vulnerability

Moderate severity GitHub Reviewed Published Sep 17, 2024 in backstage/backstage • Updated Sep 17, 2024

Package

npm @backstage/plugin-catalog-backend (npm)

Affected versions

< 1.26.0

Impact

A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.

Patches

This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

References

  • GHSA-3x3f-jcp3-g22j

Published to the GitHub Advisory Database

Sep 17, 2024

Last updated

Sep 17, 2024

ghsa: Latest News

GHSA-2p6p-9rc9-62j9: Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled