Spotify’s Backstage has been found as weak to a extreme safety flaw that might be exploited to achieve distant code execution by leveraging a lately disclosed bug in a third-party module.
The vulnerability (CVSS rating: 9.8), at its core, takes benefit of a vital sandbox escape in vm2, a well-liked JavaScript sandbox library (CVE-2022-36067 aka Sandbreak), that got here to gentle final month.
“An unauthenticated risk actor can execute arbitrary system instructions on a Backstage software by exploiting a vm2 sandbox escape within the Scaffolder core plugin,” software safety agency Oxeye stated in a report shared with The Hacker Information.
Backstage is an open supply developer portal from Spotify that enables customers to create, handle, and discover software program elements from a unified “entrance door.” It is utilized by many firms like Netflix, DoorDash, Roku, and Expedia, amongst others.
In line with Oxeye, the flaw is rooted in a device referred to as software program templates that can be utilized to create elements inside Backstage.
 |
| Screenshot reveals Backstage calling the renderTemplate perform (that calls renderString2) twice within the occasion of an error. |
Whereas the template engine makes use of vm2 to mitigate the danger related to operating untrusted code, the sandbox escape flaw within the latter made it potential to execute arbitrary system instructions exterior of the safety perimeter.
Oxeye stated it was capable of establish greater than 500 publicly-exposed Backstage cases on the web, which might then be remotely weaponized by an adversary with out requiring any authorization.
Following accountable disclosure on August 18, the difficulty was addressed by the mission maintainers in model 1.5.1 launched on August 29, 2022.
“The foundation of any template-based VM escape is gaining JavaScript execution rights throughout the template,” the Israeli firm famous. “By utilizing ‘logic-less’ template engines corresponding to Mustache, you may keep away from introducing server-side template injection vulnerabilities.”
“Separating the logic from the presentation as a lot as potential can drastically scale back your publicity to probably the most harmful template-based assaults,” it additional added.
