SCA: security update for @backstage/techdocs-common (GHSA-pwhf-39xg-4rxw)

high Tenable Cloud Security Plugin ID 417746

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Backstage is an open platform for building developer portals, and techdocs-common contains common
functionalities for Backstage's TechDocs. In versions of `@backstage/tehdocs-common` prior to 0.6.4, a
malicious internal actor is able to upload documentation content with malicious scripts. These scripts
would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the
TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is hosted on the same origin as
the Backstage app or other backend plugins, this may give access to sensitive data. The ability to upload
malicious content may be limited by internal code review processes, unless the chosen TechDocs deployment
method is to use an object store and the actor has access to upload files directly to that store. The
vulnerability is patched in the `0.6.4` release of `@backstage/techdocs-common`. (CVE-2021-32660)

See Also

https://github.com/advisories/GHSA-pwhf-39xg-4rxw

Plugin Details

Severity: High

ID: 417746

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2021-32660

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/4/2021

Vulnerability Publication Date: 6/3/2021

Reference Information

CVE: CVE-2021-32660