Cyber Resilience

CVE-2024-53983

Medium

Published: 29 November 2024

Published
29 November 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0015 35.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53983 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 5.4 (Medium).

Operationally, ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The Backstage Scaffolder plugin Houses types and utilities for building scaffolder-related modules. A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploited to perform Git config injection. The vulnerability allows an attacker to…

more

capture privileged git tokens used by the Backstage Scaffolder plugin. With these tokens, unauthorized access to sensitive resources in git can be achieved. The impact is considered medium severity as the Backstage Threat Model recommends restricting access to adding and editing templates in the Backstage Catalog plugin. The issue has been resolved in versions `v0.4.12`, `v0.5.1` and `v0.6.1` of the `@backstage/plugin-scaffolder-node` package. Users are encouraged to upgrade to this version to mitigate the vulnerability. Users are advised to upgrade. Users unable to upgrade may ensure that templates do not change git config.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References