CVE-2023-6944: 
JavaScript vulnerability analysis and mitigation

A vulnerability (CVE-2023-6944) was discovered in the Red Hat Developer Hub (RHDH) affecting the catalog-import function. The flaw allows GitLab access tokens to be leaked on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. This vulnerability was initially reported on January 4, 2024, affecting versions up to (excluding) 1.21.0 of both LinuxFoundation Backstage and Red Hat Developer Hub (NVD, Red Hat Advisory).

The vulnerability is classified as CWE-209 (Generation of Error Message Containing Sensitive Information). When processing GitLab tokens in the catalog-import function, the system fails to properly sanitize error messages, resulting in the exposure of raw access tokens in frontend error displays. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N (NVD).

The exposure of GitLab access tokens can lead to serious security implications. Depending on the token's permissions, an attacker could potentially execute malicious activities including pushing unauthorized code to repositories, deleting Git resources, revoking or generating new keys, and signing code illegitimately (Red Hat Bugzilla).

The vulnerability has been fixed in version 1.21.0 of Red Hat Developer Hub. Organizations using affected versions should upgrade to version 1.21.0 or later to address this security issue (Red Hat Bugzilla).