Cyber Resilience

CVE-2024-45816

Medium

Published: 17 September 2024

Published
17 September 2024
Modified
03 January 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0036 58.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45816 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Linuxfoundation Backstage. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Cloud Storage (T1530); ranked in the top 41.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are…

more

not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1530 Data from Cloud Storage Collection
Adversaries may access data from cloud storage.
T1619 Cloud Storage Object Discovery Discovery
Adversaries may enumerate objects in cloud storage infrastructure.
Why these techniques?

Directory traversal in Backstage TechDocs backend enables low-privileged access to arbitrary content in AWS S3 or GCS buckets, bypassing permissions and facilitating cloud storage object discovery (T1619) and data collection from cloud storage (T1530).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0016.000: Adversarial AI Attack ImplementationsAML.T0024.000: Infer Training Data Membership

Affected Assets

linuxfoundation
backstage
≤ 1.10.13

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References