CVE-2021-43783: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

November 29, 2021 (updated December 1, 2021)

A malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker to control the contents of the injected file however, unless the template is also crafted in a specific way that gives control of the file contents.

References

github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f
github.com/backstage/backstage/security/advisories/GHSA-mg3m-f475-28hv
nvd.nist.gov/vuln/detail/CVE-2021-43783

Code Behaviors & Features

Detect and mitigate CVE-2021-43783 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →