A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.
Patches
This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.
References
If you have any questions or comments about this advisory:
backstage/backstage (@backstage/plugin-catalog-backend)
### [`v1.26.0`](https://redirect.github.com/backstage/backstage/blob/HEAD/plugins/catalog-backend/CHANGELOG.md#1260)
[Compare Source](https://redirect.github.com/backstage/backstage/compare/v1.25.2...v1.26.0)
##### Minor Changes
- [`74acf06`](https://redirect.github.com/backstage/backstage/commit/74acf06): Add `dependencyOf` prop to catalog model for Component kind to enable building relationship graphs with both directions using `dependsOn` and `dependencyOf`.
- [`78475c3`](https://redirect.github.com/backstage/backstage/commit/78475c3): Allow offset mode paging in entity list provider
- [`bd35cdb`](https://redirect.github.com/backstage/backstage/commit/bd35cdb): The `analyze-location` endpoint is now protected by the `catalog.location.analyze` permission.
The `validate-entity` endpoint is now protected by the `catalog.entity.validate` permission.
##### Patch Changes
- [`1882cfe`](https://redirect.github.com/backstage/backstage/commit/1882cfe): Moved `getEntities` ordering to utilize database instead of having it inside catalog client
Please note that the latest version of `@backstage/catalog-client` will not order the entities in the same way as before. This is because the ordering is now done in the database query instead of in the client. If you rely on the ordering of the entities, you may need to update your backend plugin or code to handle this change.
- [`d425fc4`](https://redirect.github.com/backstage/backstage/commit/d425fc4): Modules, plugins, and services are now `BackendFeature`, not a function that returns a feature.
- [`c2b63ab`](https://redirect.github.com/backstage/backstage/commit/c2b63ab): Updated dependency `supertest` to `^7.0.0`.
- [`53cce86`](https://redirect.github.com/backstage/backstage/commit/53cce86): Fixed an issue with the by-query call, where ordering by a field that does not exist on all entities led to not all results being returned
- Updated dependencies
- [@backstage/backend-common](https://redirect.github.com/backstage/backend-common)[@0](https://redirect.github.com/0).25.0
- [@backstage/backend-plugin-api](https://redirect.github.com/backstage/backend-plugin-api)[@1](https://redirect.github.com/1).0.0
- [@backstage/catalog-model](https://redirect.github.com/backstage/catalog-model)[@1](https://redirect.github.com/1).7.0
- [@backstage/catalog-client](https://redirect.github.com/backstage/catalog-client)[@1](https://redirect.github.com/1).7.0
- [@backstage/plugin-search-backend-module-catalog](https://redirect.github.com/backstage/plugin-search-backend-module-catalog)[@0](https://redirect.github.com/0).2.2
- [@backstage/plugin-permission-node](https://redirect.github.com/backstage/plugin-permission-node)[@0](https://redirect.github.com/0).8.3
- [@backstage/plugin-catalog-common](https://redirect.github.com/backstage/plugin-catalog-common)[@1](https://redirect.github.com/1).1.0
- [@backstage/plugin-catalog-node](https://redirect.github.com/backstage/plugin-catalog-node)[@1](https://redirect.github.com/1).13.0
- [@backstage/integration](https://redirect.github.com/backstage/integration)[@1](https://redirect.github.com/1).15.0
- [@backstage/backend-openapi-utils](https://redirect.github.com/backstage/backend-openapi-utils)[@0](https://redirect.github.com/0).1.18
- [@backstage/plugin-events-node](https://redirect.github.com/backstage/plugin-events-node)[@0](https://redirect.github.com/0).4.0
- [@backstage/config](https://redirect.github.com/backstage/config)[@1](https://redirect.github.com/1).2.0
- [@backstage/errors](https://redirect.github.com/backstage/errors)[@1](https://redirect.github.com/1).2.4
- [@backstage/types](https://redirect.github.com/backstage/types)[@1](https://redirect.github.com/1).1.1
- [@backstage/plugin-permission-common](https://redirect.github.com/backstage/plugin-permission-common)[@0](https://redirect.github.com/0).8.1
### [`v1.25.2`](https://redirect.github.com/backstage/backstage/releases/tag/v1.25.2)
[Compare Source](https://redirect.github.com/backstage/backstage/compare/v1.25.1...v1.25.2)
This release fixes an issue where requests for the public `http` routes for the `events-backend` were authenticated causing 401 errors.
### [`v1.25.1`](https://redirect.github.com/backstage/backstage/releases/tag/v1.25.1)
[Compare Source](https://redirect.github.com/backstage/backstage/compare/v1.25.0...v1.25.1)
This release fixes an bug where the kubernetes plugin would crash reading `credentials` from `undefined`.
### [`v1.25.0`](https://redirect.github.com/backstage/backstage/blob/HEAD/plugins/catalog-backend/CHANGELOG.md#1250)
[Compare Source](https://redirect.github.com/backstage/backstage/compare/v1.24.0...v1.25.0)
##### Minor Changes
- [`163ba08`](https://redirect.github.com/backstage/backstage/commit/163ba08): Deprecated `RouterOptions`, `CatalogBuilder`, and `CatalogEnvironment`. Please make sure to upgrade to the new backend system.
- [`fc24d9e`](https://redirect.github.com/backstage/backstage/commit/fc24d9e): Stop using `@backstage/backend-tasks` as it will be deleted in near future.
##### Patch Changes
- [`776eb56`](https://redirect.github.com/backstage/backstage/commit/776eb56): `ProcessorOutputCollector` returns an error when receiving deferred entities that have an invalid `metadata.annotations` format.
This allows to return an error on an actual validation issue instead of reporting that the location annotations are missing afterwards, which is misleading for the users.
- [`389f5a4`](https://redirect.github.com/backstage/backstage/commit/389f5a4): Update deprecated url-reader-related imports.
- [`93095ee`](https://redirect.github.com/backstage/backstage/commit/93095ee): Make sure node-fetch is version 2.7.0 or greater
- [`a629fb2`](https://redirect.github.com/backstage/backstage/commit/a629fb2): Added setAllowedLocationTypes while introducing a new extension point called CatalogLocationsExtensionPoint
- [`51240ee`](https://redirect.github.com/backstage/backstage/commit/51240ee): Preserve default `allowedLocationTypes` when `setAllowedLocationTypes()` of `CatalogLocationsExtensionPoint` is not called.
- Updated dependencies
- [@backstage/backend-plugin-api](https://redirect.github.com/backstage/backend-plugin-api)[@0](https://redirect.github.com/0).8.0
- [@backstage/backend-common](https://redirect.github.com/backstage/backend-common)[@0](https://redirect.github.com/0).24.0
- [@backstage/plugin-permission-common](https://redirect.github.com/backstage/plugin-permission-common)[@0](https://redirect.github.com/0).8.1
- [@backstage/plugin-permission-node](https://redirect.github.com/backstage/plugin-permission-node)[@0](https://redirect.github.com/0).8.1
- [@backstage/plugin-search-backend-module-catalog](https://redirect.github.com/backstage/plugin-search-backend-module-catalog)[@0](https://redirect.github.com/0).2.0
- [@backstage/plugin-catalog-node](https://redirect.github.com/backstage/plugin-catalog-node)[@1](https://redirect.github.com/1).12.5
- [@backstage/integration](https://redirect.github.com/backstage/integration)[@1](https://redirect.github.com/1).14.0
- [@backstage/catalog-model](https://redirect.github.com/backstage/catalog-model)[@1](https://redirect.github.com/1).6.0
- [@backstage/backend-openapi-utils](https://redirect.github.com/backstage/backend-openapi-utils)[@0](https://redirect.github.com/0).1.16
- [@backstage/catalog-client](https://redirect.github.com/backstage/catalog-client)[@1](https://redirect.github.com/1).6.6
- [@backstage/config](https://redirect.github.com/backstage/config)[@1](https://redirect.github.com/1).2.0
- [@backstage/errors](https://redirect.github.com/backstage/errors)[@1](https://redirect.github.com/1).2.4
- [@backstage/types](https://redirect.github.com/backstage/types)[@1](https://redirect.github.com/1).1.1
- [@backstage/plugin-catalog-common](https://redirect.github.com/backstage/plugin-catalog-common)[@1](https://redirect.github.com/1).0.26
- [@backstage/plugin-events-node](https://redirect.github.com/backstage/plugin-events-node)[@0](https://redirect.github.com/0).3.9
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
1.24.0->1.26.0GitHub Vulnerability Alerts
CVE-2024-45815
Impact
A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.
Patches
This has been fixed in the
1.26.0release of the@backstage/plugin-catalog-backendpackage.References
If you have any questions or comments about this advisory:
Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README
Release Notes
backstage/backstage (@backstage/plugin-catalog-backend)
### [`v1.26.0`](https://redirect.github.com/backstage/backstage/blob/HEAD/plugins/catalog-backend/CHANGELOG.md#1260) [Compare Source](https://redirect.github.com/backstage/backstage/compare/v1.25.2...v1.26.0) ##### Minor Changes - [`74acf06`](https://redirect.github.com/backstage/backstage/commit/74acf06): Add `dependencyOf` prop to catalog model for Component kind to enable building relationship graphs with both directions using `dependsOn` and `dependencyOf`. - [`78475c3`](https://redirect.github.com/backstage/backstage/commit/78475c3): Allow offset mode paging in entity list provider - [`bd35cdb`](https://redirect.github.com/backstage/backstage/commit/bd35cdb): The `analyze-location` endpoint is now protected by the `catalog.location.analyze` permission. The `validate-entity` endpoint is now protected by the `catalog.entity.validate` permission. ##### Patch Changes - [`1882cfe`](https://redirect.github.com/backstage/backstage/commit/1882cfe): Moved `getEntities` ordering to utilize database instead of having it inside catalog client Please note that the latest version of `@backstage/catalog-client` will not order the entities in the same way as before. This is because the ordering is now done in the database query instead of in the client. If you rely on the ordering of the entities, you may need to update your backend plugin or code to handle this change. - [`d425fc4`](https://redirect.github.com/backstage/backstage/commit/d425fc4): Modules, plugins, and services are now `BackendFeature`, not a function that returns a feature. - [`c2b63ab`](https://redirect.github.com/backstage/backstage/commit/c2b63ab): Updated dependency `supertest` to `^7.0.0`. - [`53cce86`](https://redirect.github.com/backstage/backstage/commit/53cce86): Fixed an issue with the by-query call, where ordering by a field that does not exist on all entities led to not all results being returned - Updated dependencies - [@backstage/backend-common](https://redirect.github.com/backstage/backend-common)[@0](https://redirect.github.com/0).25.0 - [@backstage/backend-plugin-api](https://redirect.github.com/backstage/backend-plugin-api)[@1](https://redirect.github.com/1).0.0 - [@backstage/catalog-model](https://redirect.github.com/backstage/catalog-model)[@1](https://redirect.github.com/1).7.0 - [@backstage/catalog-client](https://redirect.github.com/backstage/catalog-client)[@1](https://redirect.github.com/1).7.0 - [@backstage/plugin-search-backend-module-catalog](https://redirect.github.com/backstage/plugin-search-backend-module-catalog)[@0](https://redirect.github.com/0).2.2 - [@backstage/plugin-permission-node](https://redirect.github.com/backstage/plugin-permission-node)[@0](https://redirect.github.com/0).8.3 - [@backstage/plugin-catalog-common](https://redirect.github.com/backstage/plugin-catalog-common)[@1](https://redirect.github.com/1).1.0 - [@backstage/plugin-catalog-node](https://redirect.github.com/backstage/plugin-catalog-node)[@1](https://redirect.github.com/1).13.0 - [@backstage/integration](https://redirect.github.com/backstage/integration)[@1](https://redirect.github.com/1).15.0 - [@backstage/backend-openapi-utils](https://redirect.github.com/backstage/backend-openapi-utils)[@0](https://redirect.github.com/0).1.18 - [@backstage/plugin-events-node](https://redirect.github.com/backstage/plugin-events-node)[@0](https://redirect.github.com/0).4.0 - [@backstage/config](https://redirect.github.com/backstage/config)[@1](https://redirect.github.com/1).2.0 - [@backstage/errors](https://redirect.github.com/backstage/errors)[@1](https://redirect.github.com/1).2.4 - [@backstage/types](https://redirect.github.com/backstage/types)[@1](https://redirect.github.com/1).1.1 - [@backstage/plugin-permission-common](https://redirect.github.com/backstage/plugin-permission-common)[@0](https://redirect.github.com/0).8.1 ### [`v1.25.2`](https://redirect.github.com/backstage/backstage/releases/tag/v1.25.2) [Compare Source](https://redirect.github.com/backstage/backstage/compare/v1.25.1...v1.25.2) This release fixes an issue where requests for the public `http` routes for the `events-backend` were authenticated causing 401 errors. ### [`v1.25.1`](https://redirect.github.com/backstage/backstage/releases/tag/v1.25.1) [Compare Source](https://redirect.github.com/backstage/backstage/compare/v1.25.0...v1.25.1) This release fixes an bug where the kubernetes plugin would crash reading `credentials` from `undefined`. ### [`v1.25.0`](https://redirect.github.com/backstage/backstage/blob/HEAD/plugins/catalog-backend/CHANGELOG.md#1250) [Compare Source](https://redirect.github.com/backstage/backstage/compare/v1.24.0...v1.25.0) ##### Minor Changes - [`163ba08`](https://redirect.github.com/backstage/backstage/commit/163ba08): Deprecated `RouterOptions`, `CatalogBuilder`, and `CatalogEnvironment`. Please make sure to upgrade to the new backend system. - [`fc24d9e`](https://redirect.github.com/backstage/backstage/commit/fc24d9e): Stop using `@backstage/backend-tasks` as it will be deleted in near future. ##### Patch Changes - [`776eb56`](https://redirect.github.com/backstage/backstage/commit/776eb56): `ProcessorOutputCollector` returns an error when receiving deferred entities that have an invalid `metadata.annotations` format. This allows to return an error on an actual validation issue instead of reporting that the location annotations are missing afterwards, which is misleading for the users. - [`389f5a4`](https://redirect.github.com/backstage/backstage/commit/389f5a4): Update deprecated url-reader-related imports. - [`93095ee`](https://redirect.github.com/backstage/backstage/commit/93095ee): Make sure node-fetch is version 2.7.0 or greater - [`a629fb2`](https://redirect.github.com/backstage/backstage/commit/a629fb2): Added setAllowedLocationTypes while introducing a new extension point called CatalogLocationsExtensionPoint - [`51240ee`](https://redirect.github.com/backstage/backstage/commit/51240ee): Preserve default `allowedLocationTypes` when `setAllowedLocationTypes()` of `CatalogLocationsExtensionPoint` is not called. - Updated dependencies - [@backstage/backend-plugin-api](https://redirect.github.com/backstage/backend-plugin-api)[@0](https://redirect.github.com/0).8.0 - [@backstage/backend-common](https://redirect.github.com/backstage/backend-common)[@0](https://redirect.github.com/0).24.0 - [@backstage/plugin-permission-common](https://redirect.github.com/backstage/plugin-permission-common)[@0](https://redirect.github.com/0).8.1 - [@backstage/plugin-permission-node](https://redirect.github.com/backstage/plugin-permission-node)[@0](https://redirect.github.com/0).8.1 - [@backstage/plugin-search-backend-module-catalog](https://redirect.github.com/backstage/plugin-search-backend-module-catalog)[@0](https://redirect.github.com/0).2.0 - [@backstage/plugin-catalog-node](https://redirect.github.com/backstage/plugin-catalog-node)[@1](https://redirect.github.com/1).12.5 - [@backstage/integration](https://redirect.github.com/backstage/integration)[@1](https://redirect.github.com/1).14.0 - [@backstage/catalog-model](https://redirect.github.com/backstage/catalog-model)[@1](https://redirect.github.com/1).6.0 - [@backstage/backend-openapi-utils](https://redirect.github.com/backstage/backend-openapi-utils)[@0](https://redirect.github.com/0).1.16 - [@backstage/catalog-client](https://redirect.github.com/backstage/catalog-client)[@1](https://redirect.github.com/1).6.6 - [@backstage/config](https://redirect.github.com/backstage/config)[@1](https://redirect.github.com/1).2.0 - [@backstage/errors](https://redirect.github.com/backstage/errors)[@1](https://redirect.github.com/1).2.4 - [@backstage/types](https://redirect.github.com/backstage/types)[@1](https://redirect.github.com/1).1.1 - [@backstage/plugin-catalog-common](https://redirect.github.com/backstage/plugin-catalog-common)[@1](https://redirect.github.com/1).0.26 - [@backstage/plugin-events-node](https://redirect.github.com/backstage/plugin-events-node)[@0](https://redirect.github.com/0).3.9Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.