CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53983 – Server-side request forgery in Backstage Scaffolder plugin
https://notcve.org/view.php?id=CVE-2024-53983
29 Nov 2024 — The Backstage Scaffolder plugin Houses types and utilities for building scaffolder-related modules. A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploited to perform Git config injection. The vulnerability allows an attacker to capture privileged git tokens used by the Backstage Scaffolder plugin. With these tokens, unauthorized access to sensitive resources in git can be achieved. The impact is considered medium severity as ... • https://github.com/backstage/backstage/security/advisories/GHSA-qmc2-jpr5-7rg9 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47762 – Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend
https://notcve.org/view.php?id=CVE-2024-47762
03 Oct 2024 — Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configura... • https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f • CWE-440: Expected Behavior Violation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45815 – Prototype pollution in @backstage/plugin-catalog-backend
https://notcve.org/view.php?id=CVE-2024-45815
17 Sep 2024 — Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend`. All users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45816 – Storage bucket Directory Traversal in @backstage/plugin-techdocs-backend
https://notcve.org/view.php?id=CVE-2024-45816
17 Sep 2024 — Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. All users are advised to upgrade. • https://github.com/backstage/backstage/security/advisories/GHSA-39v3-f278-vj3g • CWE-23: Relative Path Traversal •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46976 – Circumvention of cross site scripting Protection in @backstage/plugin-techdocs-backend
https://notcve.org/view.php?id=CVE-2024-46976
17 Sep 2024 — Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685 • CWE-693: Protection Mechanism Failure •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26150 – `@backstage/backend-common` vulnerable to path traversal through symlinks
https://notcve.org/view.php?id=CVE-2024-26150
23 Feb 2024 — `@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10. `@backstage/backend-common` es ... • https://github.com/backstage/backstage/commit/1ad2b1b61ebb430051f7d804b0cc7ebfe7922b6f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6944 – Rhdh: catalog-import function leaks credentials to frontend
https://notcve.org/view.php?id=CVE-2023-6944
04 Jan 2024 — A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately. Se encontró una falla... • https://access.redhat.com/security/cve/CVE-2023-6944 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.9EPSS: 2%CPEs: 1EXPL: 0CVE-2023-35926 – Insecure sandbox in Backstage Scaffolder plugin
https://notcve.org/view.php?id=CVE-2023-35926
22 Jun 2023 — Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the templat... • https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43783 – Path Traversal in @backstage/plugin-scaffolder-backend
https://notcve.org/view.php?id=CVE-2021-43783
29 Nov 2021 — @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker... • https://github.com/backstage/backstage/commit/f9352ab606367cd9efc6ff048915c70ed3013b7f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41151 – Path Traversal in @backstage/plugin-scaffolder-backend
https://notcve.org/view.php?id=CVE-2021-41151
18 Oct 2021 — Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request` action and a particular source path. When the template is executed the sensitive files would be included in the published pull request. This vulnerability is mitigated by the fact that an attacker would need access to create and r... • https://github.com/backstage/backstage/commit/6968962c920508eae19a4c1c200fa2c8980a4006 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •