High severityNVD Advisory· Published Jan 4, 2024· Updated Nov 20, 2025
Rhdh: catalog-import function leaks credentials to frontend
CVE-2023-6944
Description
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@backstage/backend-app-apinpm | < 0.5.9-next.1 | 0.5.9-next.1 |
Affected products
2- Red Hat/RHDH-1.1-RHEL-9v5cpe:/a:redhat:rhdh:1.1::el9Range: 1.1-107.1724038966
Patches
Vulnerability mechanics
References
10- access.redhat.com/errata/RHBA-2024:5869ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-86rg-pf4c-5grgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6944ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-6944ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/backstage/backstage/blob/master/docs/releases/v1.21.0-next.2-changelog.mdghsaWEB
- github.com/backstage/backstage/commit/0382db60f6c8e8715a702bde6408ad10a48d8e11ghsaWEB
- github.com/backstage/backstage/issues/21503ghsaWEB
- github.com/backstage/backstage/pull/21582ghsaWEB
- www.cve.org/CVERecordghsaWEB
News mentions
0No linked articles in our index yet.