Backstage, Spotify’s open platform challenge for constructing developer portals was carrying a high-severity vulnerability that allowed potential risk actors to remotely execute unauthenticated code within the challenge. The flaw was found by cloud-native utility safety suppliers Oxeye, and was subsequently patched by Spotify.
Customers are urged to replace Backstage to model 1.5.1, which fixes the problem.
Explaining how they found the vulnerability, Oxeye’s researchers stated they exploited a VM sandbox escape by way of the third-party library in vm2, ensuing within the capability to conduct unauthenticated distant code execution.
Template-based assaults
“By exploiting a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” stated Yuval Ostrovsky, Software program Architect for Oxeye. “Critical cloud-native application vulnerabilities like this one are becoming more pervasive and it is critical these issues are addressed without delay.”
“What caught our consideration on this case have been Backstage software program templates and the potential for template-based assaults,” stated Daniel Abeles, Head of Analysis at Oxeye. “In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.”
Backstage’s aim is to streamline growth setting by unifying all infrastructure tooling, companies, and documentation. Based on Oxeye, it has greater than 19,000 stars on GitHub, making it some of the well-liked open-source platforms for constructing developer portals. Spotify, American Airways, Netflix, Splunk, Constancy Investments, Epic Video games, and Palo Alto Networks, are simply a few of the corporations utilizing Backstage.
Additional explaining the issue and potential treatments, the researchers stated the basis of a template-based VM escape was in a position to achieve JavaScript execution rights throughout the template. Logic-less template engines equivalent to Mustache stop the introduction of server-side template injection, thus eliminating the problem, it was defined.
“If using a template engine in an application, make sure to choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to the organization,” stated Gal Goldshtein, Senior Safety Researcher at Oxeye. “If using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.”
Fire-Boltt Phoenix Smart Watch with Bluetooth Calling 1.3",120+ Sports Modes, 240*240 PX High Res with SpO2, Heart Rate Monitoring & IP67 Rating
OnePlus Nord CE 2 Lite 5G (Blue Tide, 6GB RAM, 128GB Storage)
OnePlus 11 5G (Eternal Green, 16GB RAM, 256GB Storage)
OnePlus Bullets Z2 Bluetooth Wireless in Ear Earphones with Mic, Bombastic Bass - 12.4 Mm Drivers, 10 Mins Charge - 20 Hrs Music, 30 Hrs Battery Life (Magico Black)
Noise ColorFit Pulse Grand Smart Watch with 1.69"(4.29cm) HD Display, 60 Sports Modes, 150 Watch Faces, Fast Charge, Spo2, Stress, Sleep, Heart Rate Monitoring & IP68 Waterproof (Jet Black)
Noise Pulse Go Buzz Bluetooth Calling Smart Watch, 1.69" Clear Display, 550Nits,150+ Watch face, Comfort Strap, Heart Rate, Steps & Sleep Tracker, IP68, 7 Days Battery(Jet Black)
OnePlus Nord Buds True Wireless in Ear Earbuds with Mic, 12.4mm Titanium Drivers, Playback:Up to 30hr case, 4-Mic Design + AI Noise Cancellation, IP55 Rating, Fast Charging (Black Slate)
Fire-Boltt Ninja Call Pro Plus 1.83" Smart Watch with Bluetooth Calling, AI Voice Assistance, 100 Sports Modes IP67 Rating, 240*280 Pixel High Resolution
OnePlus Nord 2T 5G (Gray Shadow, 8GB RAM, 128GB Storage)
