Spotify’s Backstage has found a severe security flaw that could be exploited to attain remote code execution (RCE) and layer fixed.
Spotify’s Backstage has found a severe security flaw that could be exploited to attain remote code execution (RCE) and layer fixed.
The vulnerability is marked with a CVSS score of 9.8; at its core, it takes benefit of a critical sandbox escape in vm2, a popular JavaScript sandbox library (CVE-2022-36067, aka Sandbreak), that was discovered last month.
“An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin," states the advisory published by Oxeye.
Oxeye verified the impact in Backstage and warned Spotify on August 18, 2022. The vendor then addressed it through an updated version, 1.5.1, released on August 29, 2022.
Backstage is an open-source developer portal used by many firms like Netflix, Fidelity, American Airlines and Epic Games.
The flaw resides in the software templates tools that let developers create components Backstage.
The researchers further explained that the template engine utilises the vm2 library to prevent the execution of untrusted code.
The advisory added that upon reviewing how to confine this risk, they noticed that the templating engine could be manipulated to run shell commands by employing user-controlled templates with Nunjucks outside an isolated environment. As a result, Backstage began using the vm2 JavaScript sandbox library to mitigate this risk.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?