CVE-2023-6944

Published: Jan 4, 2024Modified: Sep 5, 2025

5.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.1 / Impact: 3.6

Source: NVD

Description

A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.

Affected (2)

Products: Redhat: Red Hat Developer Hub · Linuxfoundation: Backstage

1 product

Red Hat Developer Hub

Linuxfoundation

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Red Hat Developer Hub	Before 1.21.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Linuxfoundation Backstage	Before 1.21.0

Related CWEs

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

References (5)

https://access.redhat.com/errata/RHBA-2024:5869

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2023-6944

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2255204

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://access.redhat.com/security/cve/CVE-2023-6944

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2255204

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.