{"id":"GHSA-pgf8-28gg-vpr6","summary":"Path traversal","details":"### Impact\n\nA malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for `docs_dir` in `mkdocs.yml`. These files would then be available over the TechDocs backend API.\n\nThis vulnerability is mitigated by the fact that an attacker would need access to modify the `mkdocs.yml` in the documentation source code, and would also need access to the TechDocs backend API.\n\n### Patches\n\nThe vulnerability is patched in the `0.6.3` release of `@backstage/techdocs-common`.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in the [Backstage repository](https://github.com/backstage/backstage)\n* Visit our chat, linked to in [Backstage README](https://github.com/backstage/backstage)","aliases":["CVE-2021-32662"],"modified":"2026-03-13T22:14:45.044483Z","published":"2021-06-04T19:09:20Z","related":["CVE-2021-32662"],"database_specific":{"github_reviewed":true,"nvd_published_at":"2021-06-03T22:15:00Z","severity":"MODERATE","github_reviewed_at":"2021-06-03T22:01:05Z","cwe_ids":["CWE-22"]},"references":[{"type":"WEB","url":"https://github.com/backstage/backstage/security/advisories/GHSA-pgf8-28gg-vpr6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32662"},{"type":"WEB","url":"https://github.com/backstage/backstage/commit/8cefadca04cbf01d0394b0cb1983247e5f1d6208"},{"type":"WEB","url":"https://github.com/backstage/backstage/releases/tag/release-2021-05-27"}],"affected":[{"package":{"name":"@backstage/techdocs-common","ecosystem":"npm","purl":"pkg:npm/%40backstage/techdocs-common"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.6.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-pgf8-28gg-vpr6/GHSA-pgf8-28gg-vpr6.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}