CVE-2024-47762: Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend

October 3, 2024

Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes.

References

github.com/advisories/GHSA-qc4v-xq2m-65wc
github.com/backstage/backstage
github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
nvd.nist.gov/vuln/detail/CVE-2024-47762

Detect and mitigate CVE-2024-47762 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →