CVE-2024-53983
CVSS 3.1 Score 5.4 of 10 (medium)
Details
Summary
CVE-2024-53983 is a medium severity vulnerability affecting the Backstage Scaffolder plugin. The issue lies in the template functionality of the plugin, which can be exploited through Server-Side Template Injection (SSTI) to perform Git config injection. An attacker who successfully exploits this vulnerability can capture privileged git tokens used by the Backstage Scaffolder plugin, potentially gaining unauthorized access to sensitive resources in Git. The Backstage Threat Model recommends restricting access to adding and editing templates in the Backstage Catalog plugin as a mitigation. Users are encouraged to upgrade to version `v0.4.12`, `v0.5.1`, or `v0.6.1` of the `@backstage/plugin-scaffolder-node` package to address this issue. Those unable to upgrade should ensure that templates do not modify Git config to prevent exploitation.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- BackStage