CVE-2023-6944
Last modified
CVE-2023-6944 is a medium-severity vulnerability rated 5.7/10 on the CVSS scale. A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. EPSS estimates a 0.56% chance of exploitation in the next 30 days.
Description
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Red Hat Developer Hub | < 1.21.0 |
| Linuxfoundation | Backstage | < 1.21.0 |
References
- https://access.redhat.com/security/cve/CVE-2023-6944Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2255204Issue Tracking, Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2023-6944Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2255204Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-6944?
How severe is CVE-2023-6944?
How do I fix CVE-2023-6944?
Are you affected by CVE-2023-6944?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST