Backstage, Spotify’s open platform challenge for constructing developer portals was carrying a high-severity vulnerability that allowed potential risk actors to remotely execute unauthenticated code within the challenge. The flaw was found by cloud-native utility safety suppliers Oxeye, and was subsequently patched by Spotify.
Customers are urged to replace Backstage to model 1.5.1, which fixes the problem.
Explaining how they found the vulnerability, Oxeye’s researchers stated they exploited a VM sandbox escape by way of the third-party library in vm2, ensuing within the capability to conduct unauthenticated distant code execution.
“By exploiting a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” stated Yuval Ostrovsky, Software program Architect for Oxeye. “Critical cloud-native application vulnerabilities like this one are becoming more pervasive and it is critical these issues are addressed without delay.”
“What caught our consideration on this case have been Backstage software program templates and the potential for template-based assaults,” stated Daniel Abeles, Head of Analysis at Oxeye. “In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.”
Backstage’s aim is to streamline growth setting by unifying all infrastructure tooling, companies, and documentation. Based on Oxeye, it has greater than 19,000 stars on GitHub, making it some of the well-liked open-source platforms for constructing developer portals. Spotify, American Airways, Netflix, Splunk, Constancy Investments, Epic Video games, and Palo Alto Networks, are simply a few of the corporations utilizing Backstage.
“If using a template engine in an application, make sure to choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to the organization,” stated Gal Goldshtein, Senior Safety Researcher at Oxeye. “If using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.”