Backstage Security Vulnerabilities and Issues — Backstage CVE List

Lucene search

LinuxfoundationBackstage

8 matches found

CVE•added 2024/01/04 10:15 a.m.•110 views

CVE-2023-6944

A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gainin...

5.7CVSS5.4AI score0.00165EPSS

CVE•added 2024/09/17 9:15 p.m.•99 views

CVE-2024-45815

Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the 1.26.0 release...

6.5CVSS6.3AI score0.00295EPSS

CVE•added 2021/06/03 10:15 p.m.•75 views

CVE-2021-32662

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In @backstage/techdocs-common versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is built ...

6.5CVSS6.2AI score0.00484EPSS

CVE•added 2024/09/17 9:15 p.m.•61 views

CVE-2024-45816

Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks i...

6.5CVSS6.4AI score0.00243EPSS

CVE•added 2024/09/17 9:15 p.m.•59 views

CVE-2024-46976

Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker...

6.5CVSS5.9AI score0.00077EPSS

CVE•added 2023/06/22 2:15 p.m.•57 views

CVE-2023-35926

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been vm2, but in light of several past vulnerabilities and e...

9.9CVSS9.4AI score0.02213EPSS

CVE•added 2021/10/18 9:15 p.m.•47 views

CVE-2021-41151

Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a github:publish:pull-request action and a partic...

6.8CVSS5AI score0.00454EPSS

CVE•added 2021/11/29 8:15 p.m.•40 views

CVE-2021-43783

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend h...

8.5CVSS8.3AI score0.00353EPSS