Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-41cb-gut4-jkb1
Vulnerability ID VCID-41cb-gut4-jkb1
Aliases CVE-2024-47762
GHSA-qc4v-xq2m-65wc
Summary Backstage is an open framework for building developer portals. Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-440 Expected Behavior Violation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47762.json
epss 0.00188 https://api.first.org/data/v1/epss?cve=CVE-2024-47762
epss 0.00188 https://api.first.org/data/v1/epss?cve=CVE-2024-47762
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-qc4v-xq2m-65wc
cvssv3.1 5.8 https://github.com/backstage/backstage
cvssv4 6.9 https://github.com/backstage/backstage
generic_textual MODERATE https://github.com/backstage/backstage
cvssv3.1 5.8 https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
cvssv4 6.9 https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
generic_textual MODERATE https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
ssvc Track https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
cvssv3.1 5.8 https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
cvssv3.1_qr MODERATE https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
cvssv4 6.9 https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
generic_textual MODERATE https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
ssvc Track https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
cvssv3.1 5.8 https://nvd.nist.gov/vuln/detail/CVE-2024-47762
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2024-47762
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-47762
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47762.json
https://api.first.org/data/v1/epss?cve=CVE-2024-47762
https://github.com/backstage/backstage
2316342 https://bugzilla.redhat.com/show_bug.cgi?id=2316342
323e6129073c5cb4cc106a1239eaec31a129554f https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
CVE-2024-47762 https://nvd.nist.gov/vuln/detail/CVE-2024-47762
GHSA-qc4v-xq2m-65wc https://github.com/advisories/GHSA-qc4v-xq2m-65wc
GHSA-qc4v-xq2m-65wc https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47762.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/backstage/backstage
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/backstage/backstage
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T17:39:32Z/ Found at https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T17:39:32Z/ Found at https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-47762
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-47762
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.40526
EPSS Score 0.00188
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:45:07.763308+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/47xxx/CVE-2024-47762.json 38.6.0