alithya-oss-backstage-ci[bot]
commented
3 weeks ago Edited/Blocked Notification
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
This PR contains the following updates:
1.10.11->1.10.13@backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection
CVE-2024-46976 / GHSA-5j94-f3mf-8685
More information
#### Details ##### Impact An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. ##### Patches This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. ##### References If you have any questions or comments about this advisory: Open an issue in the [Backstage repository](https://redirect.github.com/backstage/backstage) Visit our Discord, linked to in [Backstage README](https://redirect.github.com/backstage/backstage) #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L` #### References - [https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685](https://redirect.github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685) - [https://nvd.nist.gov/vuln/detail/CVE-2024-46976](https://nvd.nist.gov/vuln/detail/CVE-2024-46976) - [https://github.com/backstage/backstage](https://redirect.github.com/backstage/backstage) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-5j94-f3mf-8685) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).@backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability
CVE-2024-45816 / GHSA-39v3-f278-vj3g
More information
#### Details ##### Impact When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. ##### Patches This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. ##### References If you have any questions or comments about this advisory: Open an issue in the [Backstage repository](https://redirect.github.com/backstage/backstage) Visit our Discord, linked to in [Backstage README](https://redirect.github.com/backstage/backstage) #### Severity - CVSS Score: 6.5 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` #### References - [https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g](https://redirect.github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g) - [https://nvd.nist.gov/vuln/detail/CVE-2024-45816](https://nvd.nist.gov/vuln/detail/CVE-2024-45816) - [https://github.com/backstage/backstage](https://redirect.github.com/backstage/backstage) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-39v3-f278-vj3g) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
backstage/backstage (@backstage/plugin-techdocs-backend)
### [`v1.10.13`](https://redirect.github.com/backstage/backstage/blob/HEAD/plugins/techdocs-backend/CHANGELOG.md#11013) [Compare Source](https://redirect.github.com/backstage/backstage/compare/9e7f4e21861175cb383e7f3ca8f8907b0d76bcbe...159c5077c64c48b7bcab4dc66e5786f1807beae7) ##### Patch Changes - [`086c32d`](https://redirect.github.com/backstage/backstage/commit/086c32d): Dedicated token for techdocs cache sync - [`5b679ac`](https://redirect.github.com/backstage/backstage/commit/5b679ac): The `createRouter` and its related types has been marked as deprecared. This backend should instead be initialized using the new backend system. - [`d425fc4`](https://redirect.github.com/backstage/backstage/commit/d425fc4): Modules, plugins, and services are now `BackendFeature`, not a function that returns a feature. - [`c2b63ab`](https://redirect.github.com/backstage/backstage/commit/c2b63ab): Updated dependency `supertest` to `^7.0.0`. - [`5edd344`](https://redirect.github.com/backstage/backstage/commit/5edd344): Refactor to use injected catalog client in the new backend system - Updated dependencies - [@backstage/backend-common](https://redirect.github.com/backstage/backend-common)[@0](https://redirect.github.com/0).25.0 - [@backstage/plugin-techdocs-node](https://redirect.github.com/backstage/plugin-techdocs-node)[@1](https://redirect.github.com/1).12.11 - [@backstage/backend-plugin-api](https://redirect.github.com/backstage/backend-plugin-api)[@1](https://redirect.github.com/1).0.0 - [@backstage/catalog-model](https://redirect.github.com/backstage/catalog-model)[@1](https://redirect.github.com/1).7.0 - [@backstage/catalog-client](https://redirect.github.com/backstage/catalog-client)[@1](https://redirect.github.com/1).7.0 - [@backstage/plugin-search-backend-module-techdocs](https://redirect.github.com/backstage/plugin-search-backend-module-techdocs)[@0](https://redirect.github.com/0).2.2 - [@backstage/plugin-catalog-common](https://redirect.github.com/backstage/plugin-catalog-common)[@1](https://redirect.github.com/1).1.0 - [@backstage/plugin-catalog-node](https://redirect.github.com/backstage/plugin-catalog-node)[@1](https://redirect.github.com/1).13.0 - [@backstage/integration](https://redirect.github.com/backstage/integration)[@1](https://redirect.github.com/1).15.0 - [@backstage/config](https://redirect.github.com/backstage/config)[@1](https://redirect.github.com/1).2.0 - [@backstage/errors](https://redirect.github.com/backstage/errors)[@1](https://redirect.github.com/1).2.4 - [@backstage/plugin-permission-common](https://redirect.github.com/backstage/plugin-permission-common)[@0](https://redirect.github.com/0).8.1 - [@backstage/plugin-techdocs-common](https://redirect.github.com/backstage/plugin-techdocs-common)[@0](https://redirect.github.com/0).1.0 ### [`v1.10.12`](https://redirect.github.com/backstage/backstage/compare/a1ed278c04cbbca5791515a1fa73edd15947832d...9e7f4e21861175cb383e7f3ca8f8907b0d76bcbe) [Compare Source](https://redirect.github.com/backstage/backstage/compare/a1ed278c04cbbca5791515a1fa73edd15947832d...9e7f4e21861175cb383e7f3ca8f8907b0d76bcbe)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.