{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47762", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-30T21:28:53.231Z", "datePublished": "2024-10-03T17:14:34.529Z", "dateUpdated": "2024-10-03T17:40:40.551Z"}, "containers": {"cna": {"title": "Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend", "problemTypes": [{"descriptions": [{"cweId": "CWE-440", "lang": "en", "description": "CWE-440: Expected Behavior Violation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc"}, {"name": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "< 0.3.75", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-03T17:14:34.529Z"}, "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration."}], "source": {"advisory": "GHSA-qc4v-xq2m-65wc", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "backstage", "product": "backstage", "cpes": ["cpe:2.3:a:backstage:backstage:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.3.75", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T17:39:32.784567Z", "id": "CVE-2024-47762", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T17:40:40.551Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-03T17:39:32.784567Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:backstage:backstage:*:*:*:*:*:*:*:*"], "vendor": "backstage", "product": "backstage", "versions": [{"status": "affected", "version": "0", "lessThan": "0.3.75", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T17:40:10.899Z"}}], "cna": {"title": "Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend", "source": {"advisory": "GHSA-qc4v-xq2m-65wc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"status": "affected", "version": "< 0.3.75"}]}], "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc", "name": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f", "name": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-440", "description": "CWE-440: Expected Behavior Violation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-03T17:14:34.529Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47762", "state": "PUBLISHED", "dateUpdated": "2024-10-03T17:40:40.551Z", "dateReserved": "2024-09-30T21:28:53.231Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-03T17:14:34.529Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration."}, {"lang": "es", "value": "Backstage es un framework abierto para crear portales para desarrolladores. La configuraci\u00f3n suministrada a trav\u00e9s de las variables de entorno APP_CONFIG_*, por ejemplo APP_CONFIG_backend_listen_port=7007, ignoraba inesperadamente la visibilidad definida en el esquema de configuraci\u00f3n. Esto ocurr\u00eda incluso si el esquema de configuraci\u00f3n especificaba que deb\u00edan tener visibilidad secreta o de backend. Esta era una caracter\u00edstica prevista de la forma APP_CONFIG_* de suministrar configuraci\u00f3n, pero ahora claramente va en contra del comportamiento esperado del sistema de configuraci\u00f3n. Este comportamiento conlleva un riesgo de exponer potencialmente detalles de configuraci\u00f3n confidenciales que se pretende que permanezcan privados o restringidos a los procesos de backend. El problema se ha resuelto en la versi\u00f3n 0.3.75 del paquete @backstage/plugin-app-backend. Como medida temporal, evite suministrar secretos mediante el patr\u00f3n de configuraci\u00f3n APP_CONFIG_. Considere m\u00e9todos alternativos para configurar secretos, como la sustituci\u00f3n de entorno disponible para la configuraci\u00f3n de Backstage."}], "id": "CVE-2024-47762", "lastModified": "2024-10-04T13:50:43.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-03T18:15:05.287", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f"}, {"source": "security-advisories@github.com", "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-440"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "backstage/plugin-app-backend: Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend", "id": "2316342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316342"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-440", "details": ["Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.", "A flaw was found in the backstage/plugin-app-backend package. Configurations supplied through APP_CONFIG_* environment variables unexpectedly ignore the visibility defined in the configuration schema, potentially exposing sensitive configuration details intended to remain private or restricted to backend processes."], "mitigation": {"lang": "en:us", "value": "Avoid supplying secrets using the APP_CONFIG_* configuration pattern. Consider alternative methods such as the environment variable substitution.\nSee this link for more information about environment variable substitution: https://backstage.io/docs/conf/writing/#environment-variable-substitution"}, "name": "CVE-2024-47762", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh-hub-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-10-03T17:14:34Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47762\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47762\nhttps://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f\nhttps://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc"], "threat_severity": "Moderate"}