Security News > 2022 > November > Critical RCE Flaw Reported in Spotify's Backstage Software Catalog and Developer Platform
Spotify's Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module.
The vulnerability, at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library, that came to light last month.
"An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin," application security firm Oxeye said in a report shared with The Hacker News.
Backstage is an open source developer portal from Spotify that allows users to create, manage, and explore software components from a unified "Front door." It's used by many companies like Netflix, DoorDash, Roku, and Expedia, among others.
According to Oxeye, the flaw is rooted in a tool called software templates that can be used to create components within Backstage.
While the template engine utilizes vm2 to mitigate the risk associated with running untrusted code, the sandbox escape flaw in the latter made it possible to execute arbitrary system commands outside of the security perimeter.
News URL
https://thehackernews.com/2022/11/critical-rce-flaw-reported-in-spotifys.html
Related news
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- HPE Aruba Networking fixes four critical RCE flaws in ArubaOS (source)
- Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks (source)
- Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw (source)
- Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002) (source)