Backstage Scaffolder Backend Environment Secrets Exposure Vulnerability

A vulnerability exists in Backstage versions prior to 3.1.5, specifically within the Scaffolder backend plugin. Authenticated users with permission to execute scaffolder dry-runs can inadvertently access server-configured environment secrets through the dry-run API response. While these secrets are correctly redacted in the log output, they remain visible in certain parts of the response payload. This issue affects deployments that have the 'scaffolder.defaultEnvironment.secrets' configuration enabled.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive environment secrets, which could be misused in the context of the application or deployment.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to execute scaffolder dry-runs must initiate a dry-run process. During this process, the API response will include unredacted server-configured environment secrets, exposing them to the user.

Remediation

Users can upgrade to '@backstage/plugin-scaffolder-backend' version 3.1.5 or later to address this vulnerability. Alternatively, remove or empty the 'scaffolder.defaultEnvironment.secrets' configuration from 'app-config.yaml', or restrict access to the scaffolder dry-run functionality through the permissions framework.