Description

Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.

INFO

Published Date :

2024-10-03T17:14:34.529Z

Last Modified :

2024-10-03T17:40:40.551Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-47762 vulnerability.

Vendors Products
Backstage
  • Backstage
Redhat
  • Rhdh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-47762.

URL Resource
https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f cve-icon cve-icon cve-icon
https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-47762 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-47762 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact