CVE-2024-53983

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-scaffolder-node versions prior to 0.4.12, 0.5.1, and 0.6.1

Description: A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploited to perform Git config injection. This allows an attacker to capture privileged git tokens used by the Backstage Scaffolder plugin, resulting in unauthorized access to sensitive resources in git. The impact is considered medium severity as the Backstage Threat Model recommends restricting access to adding and editing templates in the Backstage Catalog plugin.

Recommendations: For versions prior to 0.4.12, upgrade to version 0.4.12 or later. For versions prior to 0.5.1, upgrade to version 0.5.1 or later. For versions prior to 0.6.1, upgrade to version 0.6.1 or later. As a temporary workaround, ensure that templates do not change git config.