Skip to content

@backstage/plugin-catalog-backend Prototype Pollution vulnerability

Moderate severity GitHub Reviewed Published Sep 17, 2024 in backstage/backstage • Updated Sep 17, 2024

Package

npm @backstage/plugin-catalog-backend (npm)

Affected versions

< 1.26.0

Patched versions

1.26.0

Description

Impact

A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.

Patches

This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

References

@Rugvip Rugvip published to backstage/backstage Sep 17, 2024
Published by the National Vulnerability Database Sep 17, 2024
Published to the GitHub Advisory Database Sep 17, 2024
Reviewed Sep 17, 2024
Last updated Sep 17, 2024

Severity

Moderate

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-45815

GHSA ID

GHSA-3x3f-jcp3-g22j

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.