Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency @backstage/plugin-app-backend to v0.3.75 [security] #2294

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency @backstage/plugin-app-backend to v0.3.75 [security] #2294

wants to merge 1 commit into from
+264 −11

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 3, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@backstage/plugin-app-backend (source) 0.3.71 -> 0.3.75 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-47762

Impact

Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes.

Patches

The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. Users are encouraged to upgrade to this version to mitigate the vulnerability.

Workarounds

As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Unexpected visibility of environment variable configurations in @​backstage/plugin-app-backend

CVE-2024-47762 / GHSA-qc4v-xq2m-65wc

More information

Details

Impact

Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes.

Patches

The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. Users are encouraged to upgrade to this version to mitigate the vulnerability.

Workarounds

As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

Severity

  • CVSS Score: 5.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

backstage/backstage (@​backstage/plugin-app-backend)

v0.3.75

Compare Source

Patch Changes

v0.3.74

Compare Source

Patch Changes

  • 72a8c7b: Return HTTP status 400 rather than 500 when receiving an unknown POST request.

  • d3f79d1: Fixing dependency metadata with the new @backstage/plugin-app package

  • 590fb2d: BREAKING: The app backend now supports the new index.html.tmpl output from @backstage/cli. If available, the index.html will be templated at runtime with the current configuration of the app backend.

    This is marked as a breaking change because you must now supply the app build-time configuration to the backend. This change also affects the public path behavior, where it is no longer necessary to build the app with the correct public path upfront. You now only need to supply a correct app.baseUrl to the app backend plugin at runtime.

    An effect that this change has is that the index.html will now contain and present the frontend configuration in an easily readable way, which can aid in debugging. This data was always available in the frontend, but it was injected and hidden in the static bundle.

    This templating behavior is enabled by default, but it can be disabled by setting the app.disableConfigInjection configuration option to true.

  • d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.

  • c2b63ab: Updated dependency supertest to ^7.0.0.

  • Updated dependencies

v0.3.73

Compare Source

v0.3.72

Compare Source

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner October 3, 2024 20:12
@renovate renovate bot force-pushed the renovate/npm-backstage-plugin-app-backend-vulnerability branch 15 times, most recently from cad79b1 to 2f2b91b Compare October 5, 2024 07:53
@renovate
fix(deps): update dependency @backstage/plugin-app-backend to v0.3.75…
1841023 
… [security]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-backstage-plugin-app-backend-vulnerability branch from 2f2b91b to 1841023 Compare October 5, 2024 07:59
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 5, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dzemanov dzemanov Awaiting requested review from dzemanov

@Fortune-Ndlovu Fortune-Ndlovu Awaiting requested review from Fortune-Ndlovu

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
kind/dependency upgrade kind/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants