CVE-2024-47762

MEDIUM EPSS 28.4%
Published Oct 3, 20241y ago · Modified Jun 17, 20262w ago
5.8 CVSS 3.1
Medium
Find Similar
Published Oct 3, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.

CVSS Details

Base Score
5.8
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
28.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-440

References 2

  • github.com https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
  • github.com https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.