2.6

CVE-2025-55285

EPSS 0.03%
Veröffentlicht 15.08.2025 17:10:26
Zuletzt bearbeitet 18.08.2025 20:16:28
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerbackstage

≫

Produkt backstage

Version < 2.1.1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.073

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	2.6	1	1.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7

https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e

https://nvd.nist.gov/vuln/detail/CVE-2025-55285

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-55285

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-55285

EUVD