Описание
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint
Impact
Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload.
Deployments that have configured scaffolder.defaultEnvironment.secrets are affected.
Patches
This is patched in @backstage/plugin-scaffolder-backend version 3.1.5
Workarounds
Remove or empty the scaffolder.defaultEnvironment.secrets configuration from app-config.yaml. Alternatively, restrict access to the scaffolder dry-run functionality via the
permissions framework.
References
Пакеты
@backstage/plugin-scaffolder-backend
>= 3.1.0, < 3.1.5
3.1.5
Связанные уязвимости
A data exposure flaw has been discovered in the @backstage/plugin-scaffolder-backend npm library. Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected.
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.