Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40backstage/backend-defaults@0.0.0-nightly-20230714023527
Typenpm
Namespace@backstage
Namebackend-defaults
Version0.0.0-nightly-20230714023527
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.12.2
Latest_non_vulnerable_version0.15.0-next.2
Affected_by_vulnerabilities
0
url VCID-27q8-3zw1-8fb3
vulnerability_id VCID-27q8-3zw1-8fb3
summary Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24048.json
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24048.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24048
reference_id
reference_type
scores
0
value 0.00038
scoring_system epss
scoring_elements 0.11849
published_at 2026-06-14T12:55:00Z
1
value 0.00038
scoring_system epss
scoring_elements 0.1179
published_at 2026-06-11T12:55:00Z
2
value 0.00038
scoring_system epss
scoring_elements 0.11873
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24048
2
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2431884
reference_id 2431884
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2431884
4
reference_url https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb
reference_id 27f9061d24affd1b9212fe0abd476bfc3fbaedcb
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:12Z/
url https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24048
reference_id CVE-2026-24048
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24048
6
reference_url https://github.com/advisories/GHSA-q2x5-4xjx-c6p9
reference_id GHSA-q2x5-4xjx-c6p9
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q2x5-4xjx-c6p9
7
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9
reference_id GHSA-q2x5-4xjx-c6p9
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:12Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9
fixed_packages
0
url pkg:npm/%40backstage/backend-defaults@0.12.2
purl pkg:npm/%40backstage/backend-defaults@0.12.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.12.2
1
url pkg:npm/%40backstage/backend-defaults@0.13.0-next.0
purl pkg:npm/%40backstage/backend-defaults@0.13.0-next.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.13.0-next.0
2
url pkg:npm/%40backstage/backend-defaults@0.13.2
purl pkg:npm/%40backstage/backend-defaults@0.13.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.13.2
3
url pkg:npm/%40backstage/backend-defaults@0.14.0-next.0
purl pkg:npm/%40backstage/backend-defaults@0.14.0-next.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.14.0-next.0
4
url pkg:npm/%40backstage/backend-defaults@0.14.1
purl pkg:npm/%40backstage/backend-defaults@0.14.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.14.1
5
url pkg:npm/%40backstage/backend-defaults@0.15.0-next.2
purl pkg:npm/%40backstage/backend-defaults@0.15.0-next.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.15.0-next.2
aliases CVE-2026-24048, GHSA-q2x5-4xjx-c6p9
risk_score 1.6
exploitability 0.5
weighted_severity 3.1
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-27q8-3zw1-8fb3
1
url VCID-t9gj-dq52-a3a3
vulnerability_id VCID-t9gj-dq52-a3a3
summary Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24046.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24046
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.06344
published_at 2026-06-14T12:55:00Z
1
value 0.00022
scoring_system epss
scoring_elements 0.06365
published_at 2026-06-13T12:55:00Z
2
value 0.00022
scoring_system epss
scoring_elements 0.06376
published_at 2026-06-12T12:55:00Z
3
value 0.00022
scoring_system epss
scoring_elements 0.06357
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24046
2
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2431878
reference_id 2431878
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2431878
4
reference_url https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
reference_id c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/
url https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24046
reference_id CVE-2026-24046
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24046
6
reference_url https://github.com/advisories/GHSA-rq6q-wr2q-7pgp
reference_id GHSA-rq6q-wr2q-7pgp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rq6q-wr2q-7pgp
7
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
reference_id GHSA-rq6q-wr2q-7pgp
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:21Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
8
reference_url https://access.redhat.com/errata/RHSA-2026:6174
reference_id RHSA-2026:6174
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6174
9
reference_url https://access.redhat.com/errata/RHSA-2026:6802
reference_id RHSA-2026:6802
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6802
fixed_packages
0
url pkg:npm/%40backstage/backend-defaults@0.12.2
purl pkg:npm/%40backstage/backend-defaults@0.12.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.12.2
1
url pkg:npm/%40backstage/backend-defaults@0.13.0-next.0
purl pkg:npm/%40backstage/backend-defaults@0.13.0-next.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.13.0-next.0
2
url pkg:npm/%40backstage/backend-defaults@0.13.2
purl pkg:npm/%40backstage/backend-defaults@0.13.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.13.2
3
url pkg:npm/%40backstage/backend-defaults@0.14.0-next.0
purl pkg:npm/%40backstage/backend-defaults@0.14.0-next.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.14.0-next.0
4
url pkg:npm/%40backstage/backend-defaults@0.14.1
purl pkg:npm/%40backstage/backend-defaults@0.14.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.14.1
5
url pkg:npm/%40backstage/backend-defaults@0.15.0-next.2
purl pkg:npm/%40backstage/backend-defaults@0.15.0-next.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.15.0-next.2
aliases CVE-2026-24046, GHSA-rq6q-wr2q-7pgp
risk_score 4.1
exploitability 0.5
weighted_severity 8.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gj-dq52-a3a3
Fixing_vulnerabilities
Risk_score4.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/backend-defaults@0.0.0-nightly-20230714023527