Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/%40backstage/plugin-techdocs-backend@0.0.0-nightly-20230902020952

Type npm

Namespace @backstage

Name plugin-techdocs-backend

Version 0.0.0-nightly-20230902020952

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.10.13

Latest_non_vulnerable_version 1.10.13

Affected_by_vulnerabilities

url VCID-jpj8-auf5-f7cp

vulnerability_id VCID-jpj8-auf5-f7cp

summary

@backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability
When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45816.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45816.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-45816

reference_id

reference_type

scores

value	0.00355
scoring_system	epss
scoring_elements	0.58139
published_at	2026-06-08T12:55:00Z

value	0.00355
scoring_system	epss
scoring_elements	0.58153
published_at	2026-06-07T12:55:00Z

value	0.00355
scoring_system	epss
scoring_elements	0.58156
published_at	2026-06-05T12:55:00Z

value	0.00355
scoring_system	epss
scoring_elements	0.58164
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-45816

reference_url

https://github.com/backstage/backstage

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/backstage/backstage

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2312953
reference_id	2312953
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2312953

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-45816

reference_id

CVE-2024-45816

reference_type

scores

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-45816

reference_url

https://github.com/advisories/GHSA-39v3-f278-vj3g

reference_id

GHSA-39v3-f278-vj3g

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-39v3-f278-vj3g

reference_url

https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g

reference_id

GHSA-39v3-f278-vj3g

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T14:50:10Z/

url

https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g

fixed_packages

url	pkg:npm/%40backstage/plugin-techdocs-backend@1.10.13
purl	pkg:npm/%40backstage/plugin-techdocs-backend@1.10.13
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-techdocs-backend@1.10.13

aliases CVE-2024-45816, GHSA-39v3-f278-vj3g

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jpj8-auf5-f7cp

url VCID-r2bx-fd9s-ybc3

vulnerability_id VCID-r2bx-fd9s-ybc3

summary

@backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection
An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-46976.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-46976.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-46976

reference_id

reference_type

scores

value	0.00185
scoring_system	epss
scoring_elements	0.3997
published_at	2026-06-08T12:55:00Z

value	0.00185
scoring_system	epss
scoring_elements	0.39997
published_at	2026-06-07T12:55:00Z

value	0.00185
scoring_system	epss
scoring_elements	0.40022
published_at	2026-06-05T12:55:00Z

value	0.00185
scoring_system	epss
scoring_elements	0.40025
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-46976

reference_url

https://github.com/backstage/backstage

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	4.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/backstage/backstage

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2312954
reference_id	2312954
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2312954

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-46976

reference_id

CVE-2024-46976

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	4.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-46976

reference_url

https://github.com/advisories/GHSA-5j94-f3mf-8685

reference_id

GHSA-5j94-f3mf-8685

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5j94-f3mf-8685

reference_url

https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685

reference_id

GHSA-5j94-f3mf-8685

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	4.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:47:03Z/

url

https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685

fixed_packages

url	pkg:npm/%40backstage/plugin-techdocs-backend@1.10.13
purl	pkg:npm/%40backstage/plugin-techdocs-backend@1.10.13
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-techdocs-backend@1.10.13

aliases CVE-2024-46976, GHSA-5j94-f3mf-8685

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r2bx-fd9s-ybc3

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-techdocs-backend@0.0.0-nightly-20230902020952

Package Instance