CVE-2024-45816 MEDIUM

CVE-2024-45816: Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend

Vendor Backstage

Product backstage

Weakness CWE-23

Published September 17, 2024

Last update September 18, 2024

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

September 17, 2024 CVE published

September 18, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-45816

Related vulnerabilities

CVE-2024-45816: Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend

01Description

02Disclosure timeline

03References

04Related CVE