CVE-2021-41151: 
JavaScript vulnerability analysis and mitigation

A path traversal vulnerability was discovered in Backstage's plugin-scaffolder-backend package (versions >=0.9.4 <0.15.9). The vulnerability was assigned CVE-2021-41151 and was disclosed on October 16, 2021. The vulnerability affects the Backstage open platform for building developer portals, specifically the scaffolder backend plugin (GitHub Advisory).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a moderate severity rating. The issue occurs when using the github:publish:pull-request action in a custom Scaffolder template with a particular source path. The vulnerability allows traversal outside of the intended workspace directory when retrieving files (GitHub Commit).

A malicious actor could read sensitive files from the environment where Scaffolder tasks are run. When exploited, the sensitive files would be included in the published pull request. The impact is somewhat mitigated since an attacker would need access to create and register templates in the Backstage catalog, and the exfiltration would be visible as it occurs via pull requests (GitHub Advisory).

The vulnerability was patched in version 0.15.9 of @backstage/plugin-scaffolder-backend. The fix ensures that the sourcePath of publish:github:pull-request can only be used to retrieve files from the workspace (GitHub Commit).