CVE-2021-41151

Name of the Vulnerable Software and Affected Versions @backstage/plugin-scaffolder-backend versions prior to 0.15.9

Description A malicious actor could read sensitive files from the environment where Scaffolder tasks are run by crafting a custom Scaffolder template with a github:publish:pull-request action and a particular source path. When the template is executed, the sensitive files would be included in the published pull request. This issue is mitigated by the fact that an attacker would need access to create and register templates in the Backstage catalog, and that the attack is very visible given that the exfiltration happens via a pull request.

Recommendations For versions prior to 0.15.9, update to the 0.15.9 release of @backstage/plugin-scaffolder-backend to patch the vulnerability. As a temporary workaround, consider restricting access to create and register templates in the Backstage catalog to minimize the risk of exploitation.