SCA: security update for @backstage/plugin-app-backend (GHSA-qc4v-xq2m-65wc)

medium Tenable Cloud Security Plugin ID 418042

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_*
environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the
visibility defined in configuration schema. This occurred even if the configuration schema specified that
they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of
supplying configuration, but now clearly goes against the expected behavior of the configuration system.
This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain
private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the
@backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the
APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the
environment substitution available for Backstage configuration. (CVE-2024-47762)

See Also

https://github.com/advisories/GHSA-qc4v-xq2m-65wc

Plugin Details

Severity: Medium

ID: 418042

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2024-47762

CVSS v3

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/3/2024

Vulnerability Publication Date: 10/3/2024

Reference Information

CVE: CVE-2024-47762

cwe: CWE-440