Backstage, Spotify’s open platform project for developing developer portals contained a critical vulnerability that allowed potential threat actors to remotely execute unauthenticated code in the project.
The vulnerability was discovered by cloud-native application security firm Oxeye and was later patched by Spotify.
Users are advised to update Backstage to version 1.5.1, which resolves the problem.
According to Oxeye’s researchers, they discovered the vulnerability by exploiting a VM sandbox escape via the third-party library in vm2, resulting in the ability to conduct unauthenticated remote code execution.
Attacks based on templates
“By exploiting a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” said Yuval Ostrovsky, Software Architect for Oxeye.
“Critical cloud-native application vulnerabilities like this one are becoming more pervasive and it is critical these issues are addressed without delay.”
“What caught our attention in this case were backstage software templates and the potential for template-based attacks,” said Daniel Abeles, Head of Research at Oxeye.
“In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.”
Backstage’s goal is to simplify the development environment by bringing all infrastructure tooling, services, and documentation under one umbrella.
It has over 19,000 stars on GitHub, according to Oxeye, making it one of the most popular open-source platforms for building developer portals.
Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, and Palo Alto Networks are just a few of the companies that use Backstage.
To read our blog on “Spotify celebrates wedding season in Pakistan with Guaranteed Dhoom Dhaam,” click here
