{"id":"CVE-2021-32662","details":"Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In `@backstage/techdocs-common` versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for `docs_dir` in `mkdocs.yml`. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that an attacker would need access to modify the `mkdocs.yml` in the documentation source code, and would also need access to the TechDocs backend API. The vulnerability is patched in the `0.6.3` release of `@backstage/techdocs-common`.","aliases":["GHSA-pgf8-28gg-vpr6"],"modified":"2026-04-10T04:44:45.262497Z","published":"2021-06-03T22:15:07.873Z","related":["GHSA-pgf8-28gg-vpr6"],"references":[{"type":"ADVISORY","url":"https://github.com/backstage/backstage/releases/tag/release-2021-05-27"},{"type":"ADVISORY","url":"https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6"},{"type":"FIX","url":"https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/backstage/backstage","events":[{"introduced":"0"},{"fixed":"8cefadca04cbf01d0394b0cb1983247e5f1d6208"}]},{"type":"GIT","repo":"https://github.com/backstage/backstage","events":[{"introduced":"0"},{"fixed":"cc1de02d8944e304df7a6a23c8671030f9156ab8"}]},{"type":"GIT","repo":"https://github.com/backstage/backstage","events":[{"introduced":"0"},{"fixed":"8cefadca04cbf01d0394b0cb1983247e5f1d6208"}]},{"type":"GIT","repo":"https://github.com/backstage/backstage","events":[{"introduced":"0"},{"fixed":"cc1de02d8944e304df7a6a23c8671030f9156ab8"}]}],"versions":["cli-old-cache-watch","hackweek-demo","release-2021-01-07","release-2021-01-08","release-2021-01-09","release-2021-01-14","release-2021-01-14.1","release-2021-01-18","release-2021-01-20","release-2021-01-21","release-2021-01-21.1","release-2021-01-28","release-2021-01-29","release-2021-02-01","release-2021-02-03","release-2021-02-05","release-2021-02-11","release-2021-02-16","release-2021-02-18","release-2021-02-23","release-2021-03-04","release-2021-03-09","release-2021-03-11","release-2021-03-11.1","release-2021-03-16","release-2021-03-17","release-2021-03-18","release-2021-03-19","release-2021-03-25","release-2021-03-31","release-2021-03-31.1","release-2021-04-08","release-2021-04-13","release-2021-04-15","release-2021-04-21","release-2021-04-22","release-2021-04-22.1","release-2021-04-29","release-2021-05-04","release-2021-05-06","release-2021-05-10","release-2021-05-11","release-2021-05-12","release-2021-05-12.1","release-2021-05-17","release-2021-05-20","release-2021-05-20.1","release-2021-1-7","v0.1.0","v0.1.1","v0.1.1-alpha.0","v0.1.1-alpha.1","v0.1.1-alpha.10","v0.1.1-alpha.11","v0.1.1-alpha.12","v0.1.1-alpha.13","v0.1.1-alpha.15","v0.1.1-alpha.16","v0.1.1-alpha.17","v0.1.1-alpha.18","v0.1.1-alpha.19","v0.1.1-alpha.2","v0.1.1-alpha.20","v0.1.1-alpha.21","v0.1.1-alpha.22","v0.1.1-alpha.23","v0.1.1-alpha.24","v0.1.1-alpha.25","v0.1.1-alpha.26","v0.1.1-alpha.3","v0.1.1-alpha.4","v0.1.1-alpha.5","v0.1.1-alpha.6","v0.1.1-alpha.7","v0.1.1-alpha.8","v0.10.0","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.12.0","v0.13.0","v0.13.1","v0.14.0","v0.15.0","v0.16.0","v0.16.1","v0.17.0","v0.17.1","v0.17.2","v0.17.3","v0.18.0","v0.18.1","v0.19.0","v0.2.0","v0.20.0","v0.20.1","v0.21.0","v0.21.1","v0.22.0","v0.22.1","v0.22.2","v0.23.0","v0.24.0","v0.24.1","v0.25.0","v0.25.1","v0.25.2","v0.25.3","v0.26.0","v0.26.1","v0.27.0","v0.28.0","v0.3.0","v0.3.1","v0.3.2","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.5.0","v0.6.0","v0.7.0","v0.8.0","v0.8.1","v0.8.2","v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32662.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"0.6.3"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}