@backstage/techdocs-common/.../techdocs-common@0.0.0-nightly-2021032473 vulnerabilities

No longer maintained. Use @backstage/plugin-techdocs-node instead.

Direct Vulnerabilities

Known vulnerabilities in the @backstage/techdocs-common package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • H
Directory Traversal

@backstage/techdocs-common is a Common functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli

Affected versions of this package are vulnerable to Directory Traversal. Folder traversal is possible via mkdocs.yml docs_dir value.

How to fix Directory Traversal?

Upgrade @backstage/techdocs-common to version 0.6.5 or higher.

<0.6.5
  • M
Directory Traversal

@backstage/techdocs-common is a Common functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli

Affected versions of this package are vulnerable to Directory Traversal. A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docs_dir in mkdocs.yml. These files would then be available over the TechDocs backend API. The attacker would need access to modify the mkdocs.yml in the documentation source code, and would also need access to the TechDocs backend API.

How to fix Directory Traversal?

Upgrade @backstage/techdocs-common to version 0.6.3 or higher.

<0.6.3
  • M
Cross-site Scripting (XSS)

@backstage/techdocs-common is a Common functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitization will be bypassed. If the TechDocs API is hosted on the same origin as the Backstage app or other backend plugins, this may give access to sensitive data.

How to fix Cross-site Scripting (XSS)?

Upgrade @backstage/techdocs-common to version 0.6.4 or higher.

<0.6.4