Remote Code Execution (RCE) Affecting @backstage/plugin-scaffolder-backend package, versions >=0.1.1-alpha.9 <0.15.14
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-BACKSTAGEPLUGINSCAFFOLDERBACKEND-2308016
- published 2 Dec 2021
- disclosed 1 Dec 2021
- credit Unknown
How to fix?
Upgrade @backstage/plugin-scaffolder-backend
to version 0.15.14 or higher.
Overview
@backstage/plugin-scaffolder-backend is a The Backstage backend plugin that helps you create new things
Affected versions of this package are vulnerable to Remote Code Execution (RCE). The templating library used in this package assumes that templates based on nunjucks
are trusted, which is considered as an undesired property.
###Note: This is only exploitable in the template yaml definition itself and not by user input data.
References
CVSS Scores
version 3.1