Описание
Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.
A flaw was found in @backstage/plugin-scaffolder-backend. A malicious scaffolder template can bypass the log redaction mechanism, allowing an attacker to exfiltrate sensitive information (secrets) from task event logs. This vulnerability leads to information disclosure, potentially exposing confidential data.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Fix deferred | ||
| Self-service automation portal 2 | ansible-automation-platform/automation-portal | Fix deferred |
Показывать по
Дополнительная информация
Статус:
2 Low
CVSS3
Связанные уязвимости
Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass
2 Low
CVSS3