CVE-2024-47762

Name of the Vulnerable Software and Affected Versions @backstage/plugin-app-backend versions prior to 0.3.75

Description The issue concerns the configuration supplied through APP CONFIG * environment variables, where the visibility defined in the configuration schema is unexpectedly ignored. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes.

Recommendations For versions prior to 0.3.75, upgrade to version 0.3.75 of the @backstage/plugin-app-backend package to mitigate the issue. As a temporary measure, avoid supplying secrets using the APP CONFIG configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.