Benjdlambert

**Name of the Vulnerable Software and Affected Versions** @backstage/plugin-catalog-backend-module-unprocessed versions prior to 0.6.11 @backstage/plugin-catalog-unprocessed-entities-common versions prior to 0.0.15 @backstage/plugin-catalog-unprocessed-entities versions prior to 0.2.30 **Description** The unprocessed entities read endpoints in `@backstage/plugin-catalog-backend-module-unprocessed` do not enforce permission authorization checks. This allows any authenticated user to access unprocessed entity records regardless of ownership, leading to information disclosure. **Recommendations** Update @backstage/plugin-catalog-backend-module-unprocessed to version 0.6.11. Update @backstage/plugin-catalog-unprocessed-entities-common to version 0.0.15. Update @backstage/plugin-catalog-unprocessed-entities to version 0.2.30. As a temporary workaround, remove the `@backstage/plugin-catalog-backend-module-unprocessed` module from the backend.

**Name of the Vulnerable Software and Affected Versions** Backstage versions prior to 3.1.5 **Description** Backstage is an open framework for building developer portals. Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured `scaffolder.defaultEnvironment.secrets` are affected. The API endpoint involved is the dry-run API. The vulnerable configuration is `scaffolder.defaultEnvironment.secrets`. **Recommendations** Versions prior to 3.1.5 should be updated to version 3.1.5 or later. Remove or empty the `scaffolder.defaultEnvironment.secrets` configuration from `app-config.yaml`. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework.

**Name of the Vulnerable Software and Affected Versions** Backstage versions prior to 0.27.1 **Description** Backstage, an open framework for building developer portals, has an issue in the experimental OIDC provider within the `@backstage/plugin-auth-backend` component. Specifically, a redirect URI allowlist bypass can occur in instances where experimental Dynamic Client Registration or Client ID Metadata Documents are enabled and `allowedRedirectUriPatterns` are configured. A crafted redirect URI can bypass validation and resolve to a host controlled by an attacker. If a user approves the resulting OAuth consent request, their authorization code is sent to the attacker, allowing them to obtain a valid access token. This requires user interaction and the explicit enabling of one of the experimental features, which is not the default configuration. The vulnerable component utilizes the `allowedRedirectUriPatterns` variable for validation. **Recommendations** Upgrade to `@backstage/plugin-auth-backend` version 0.27.1 or later. Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required.

**Name of the Vulnerable Software and Affected Versions** Backstage versions prior to 0.27.1 **Description** Backstage is an open framework for building developer portals. A Server-Side Request Forgery (SSRF) issue exists in the `@backstage/plugin-auth-backend` component when the `auth.experimentalClientIdMetadataDocuments.enabled` setting is enabled. The component validates the initial `client id` hostname against private IP ranges, but this validation is not applied after HTTP redirects. The impact is limited as an attacker cannot read the response body, control request headers, or the request method. The feature is disabled by default and deployments restricting `allowedClientIdPatterns` to trusted domains are not affected. **Recommendations** Versions prior to 0.27.1: Update to version 0.27.1 or later. Versions prior to 0.27.1: Disable the experimental CIMD feature by setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. Versions prior to 0.27.1: Restrict `allowedClientIdPatterns` to specific trusted domains.

**Name of the Vulnerable Software and Affected Versions** Backstage versions prior to 1.14.3 **Description** Backstage, an open framework for building developer portals, contains a configuration bypass that can lead to arbitrary code execution. The `@backstage/plugin-techdocs-node` package uses an allowlist to filter potentially dangerous MkDocs configuration keys during documentation builds. A flaw in this allowlist allows attackers to create a malicious `mkdocs.yml` file that executes arbitrary Python code, bypassing TechDocs' security measures. The vulnerable component is the TechDocs documentation build process. The vulnerable configuration file is `mkdocs.yml`. **Recommendations** Versions prior to 1.14.3 should be updated to version 1.14.3 or later. As a temporary workaround, configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation. Restrict access to `mkdocs.yml` files to trusted contributors only. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious configurations. Downgrade MkDocs to a version prior to 1.4.0, such as 1.3.1, to disable hooks.

**Name of the Vulnerable Software and Affected Versions** Backstage versions prior to 1.13.11 and 1.14.1 **Description** Backstage is a framework for building developer portals, and `@backstage/plugin-techdocs-node` provides functionalities for TechDocs. A path traversal issue exists in the TechDocs local generator when Backstage is configured with `techdocs.generator.runIn: local`. Symlinks within the documentation directory are followed during the build process, potentially allowing attackers to read arbitrary files from the host filesystem when processing documentation from untrusted sources. File contents are embedded into generated HTML and exposed to users viewing the documentation. The issue occurs because MkDocs follows symlinks during the build process. **Recommendations** Versions prior to 1.13.11 should be updated to version 1.13.11 or later. Versions prior to 1.14.1 should be updated to version 1.14.1 or later. Switch to `runIn: docker` in `app-config.yaml`. Restrict write access to TechDocs source repositories to trusted users only.

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-scaffolder-backend versions prior to 2.1.1 Description: The backend for the default Backstage software templates exhibited duplicate logging of input values in the `fetch:template` action within the Scaffolder. This resulted in improper redaction of secrets. The issue occurs when the variable `${{ secrets.x }}` is passed to the `fetch:template` action. Recommendations: Versions prior to 2.1.1 should be updated to version 2.1.1 or later. Template Authors can remove the use of `${{ secrets }}` as an argument to `fetch:template`.

**Name of the Vulnerable Software and Affected Versions** @backstage/backend-common versions prior to 0.21.1 @backstage/backend-common versions prior to 0.20.2 @backstage/backend-common versions prior to 0.19.10 **Description** The issue concerns the `@backstage/backend-common` library, where paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to a risk of path traversal vulnerabilities if symlinks can be injected by attackers. **Recommendations** For versions prior to 0.21.1, update to version 0.21.1 or later. For versions prior to 0.20.2, update to version 0.20.2 or later. For versions prior to 0.19.10, update to version 0.19.10 or later. As a temporary workaround, consider restricting the use of the `resolveSafeChildPath` utility until a patch is applied.