Critical RCE Flaw Reported in Spotify's Backstage Software Catalog and Developer Platform
Nov 15, 2022
Spotify's Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module. The vulnerability (CVSS score: 9.8), at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library ( CVE-2022-36067 aka Sandbreak), that came to light last month. "An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin," application security firm Oxeye said in a report shared with The Hacker News. Backstage is an open source developer portal from Spotify that allows users to create, manage, and explore software components from a unified " front door ." It's used by many companies like Netflix, DoorDash, Roku, and Expedia, among others. According to Oxeye, the flaw is rooted in a tool called software templ