Home > Vulnerability Database > CVE-2024-26150

Mend.io Vulnerability Database

CVE-2024-26150

Good to know:

Date: February 23, 2024

`@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10.

Language: TYPE_SCRIPT

Severity Score

8.7

Related Resources (6)

Url: https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-26150

Url: https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f

Url: https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871

Url: https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717

Url: https://www.mend.io/vulnerability-database/CVE-2024-26150

Severity Score

8.7

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

Upgrade Version

Upgrade to version @backstage/backend-common - 0.19.10,0.20.2,0.21.1

Learn More

CVSS v3.1

Base Score:	8.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-26150

Good to know:

Date: February 23, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?