Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40backstage/backend-common@0.0.0-nightly-2021101222132
Typenpm
Namespace@backstage
Namebackend-common
Version0.0.0-nightly-2021101222132
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.19.10
Latest_non_vulnerable_version0.21.1
Affected_by_vulnerabilities
0
url VCID-un58-fhfg-kfhg
vulnerability_id VCID-un58-fhfg-kfhg
summary 
`@backstage/backend-common` vulnerable to path traversal through symlinks
### Impact

Paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.

### Patches
Patched in `@backstage/backend-common` version `0.21.1`.
Patched in `@backstage/backend-common` version `0.20.2`.
Patched in `@backstage/backend-common` version `0.19.10`.


### For more information
If you have any questions or comments about this advisory:

- Open an issue in the [Backstage repository](https://github.com/backstage/backstage)
- Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26150.json
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26150.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26150
reference_id
reference_type
scores
0
value 0.00504
scoring_system epss
scoring_elements 0.66535
published_at 2026-06-08T12:55:00Z
1
value 0.00504
scoring_system epss
scoring_elements 0.66549
published_at 2026-06-07T12:55:00Z
2
value 0.00504
scoring_system epss
scoring_elements 0.66564
published_at 2026-06-06T12:55:00Z
3
value 0.00504
scoring_system epss
scoring_elements 0.66556
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26150
2
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
3
reference_url https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-23T22:34:48Z/
url https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f
4
reference_url https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-23T22:34:48Z/
url https://github.com/backstage/backstage/commit/78f892b3a84d63de2ba167928f171154c447b717
5
reference_url https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-23T22:34:48Z/
url https://github.com/backstage/backstage/commit/edf65d7d31e027599c2415f597d085ee84807871
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2272112
reference_id 2272112
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2272112
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26150
reference_id CVE-2024-26150
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26150
8
reference_url https://github.com/advisories/GHSA-2fc9-xpp8-2g9h
reference_id GHSA-2fc9-xpp8-2g9h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2fc9-xpp8-2g9h
9
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h
reference_id GHSA-2fc9-xpp8-2g9h
reference_type
scores
0
value 8.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-23T22:34:48Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-2fc9-xpp8-2g9h
fixed_packages
0
url pkg:npm/%40backstage/backend-common@0.19.10
purl pkg:npm/%40backstage/backend-common@0.19.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-common@0.19.10
1
url pkg:npm/%40backstage/backend-common@0.20.0-next.0
purl pkg:npm/%40backstage/backend-common@0.20.0-next.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-common@0.20.0-next.0
2
url pkg:npm/%40backstage/backend-common@0.20.2
purl pkg:npm/%40backstage/backend-common@0.20.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-common@0.20.2
3
url pkg:npm/%40backstage/backend-common@0.21.0-next.0
purl pkg:npm/%40backstage/backend-common@0.21.0-next.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-common@0.21.0-next.0
4
url pkg:npm/%40backstage/backend-common@0.21.1
purl pkg:npm/%40backstage/backend-common@0.21.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-common@0.21.1
aliases CVE-2024-26150, GHSA-2fc9-xpp8-2g9h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-un58-fhfg-kfhg
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-common@0.0.0-nightly-2021101222132