{"url":"http://public2.vulnerablecode.io/api/packages/1074101?format=json","purl":"pkg:npm/%40backstage/plugin-catalog-unprocessed-entities@0.0.0-nightly-20250915023933","type":"npm","namespace":"@backstage","name":"plugin-catalog-unprocessed-entities","version":"0.0.0-nightly-20250915023933","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.2.30","latest_non_vulnerable_version":"0.2.30","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92788?format=json","vulnerability_id":"VCID-851g-75c5-cyay","summary":"Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks\n### Impact   \n\n  The unprocessed entities read endpoints in `@backstage/plugin-catalog-backend-module-unprocessed` do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is \n  an information disclosure vulnerability affecting Backstage installations using this module.                                                                     \n                                                                        \n  ### Patches             \n                                         \n  This is patched in `@backstage/plugin-catalog-backend-module-unprocessed` version 0.6.11, `@backstage/plugin-catalog-unprocessed-entities-common` version 0.0.15 and `@backstage/plugin-catalog-unprocessed-entities` version 0.2.30. Users should upgrade all packages.                                    \n   \n  ### Workarounds                                                                                                                                                                                                                                  \n                                                                        \n  If users cannot upgrade, they can remove the `@backstage/plugin-catalog-backend-module-unprocessed` module from their backend until the patch is applied. There is no configuration-based workaround to add permission checks to these endpoints    \n  without upgrading.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44374.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44374.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44374","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09471","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09441","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09499","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09493","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09514","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44374"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T16:02:43Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-p7g9-rp3g-mgfg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44374","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44374"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477466","reference_id":"2477466","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477466"},{"reference_url":"https://github.com/advisories/GHSA-p7g9-rp3g-mgfg","reference_id":"GHSA-p7g9-rp3g-mgfg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p7g9-rp3g-mgfg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115923?format=json","purl":"pkg:npm/%40backstage/plugin-catalog-unprocessed-entities@0.2.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-catalog-unprocessed-entities@0.2.30"}],"aliases":["CVE-2026-44374","GHSA-p7g9-rp3g-mgfg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-851g-75c5-cyay"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-catalog-unprocessed-entities@0.0.0-nightly-20250915023933"}