Security News > 2022 > November > Researchers release exploit details for Backstage pre-auth RCE bug
2022-11-15 16:29
Older versions of the Spotify Backstage development portal builder are vulnerable to a critical unauthenticated remote code execution flaw allowing attackers to run commands on publicly exposed systems.
Oxeye confirmed the impact in Backstage and alerted Spotify on August 18, 2022.
Oxeye's scans on Shodan revealed that 546 publicly exposed Backstage instances on the internet could be exploitable, most based in the United States.
To make matters worse, Backstage APIs are available without authentication by default.
Currently, the number of instances running Backstage versions before 1.5.1 is unknown.
Finally, the researchers warn to enable both front and backend authentication to prevent unauthorized access to Backstage APIs.
News URL
Related news
- Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS (source)
- Mitel 0-day, 5-year-old Oracle RCE bug under active exploit (source)
- Google Project Zero Researcher Uncovers Zero-Click Exploit Targeting Samsung Devices (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Researchers Find Exploit Allowing NTLMv1 Despite Active Directory Restrictions (source)
- Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits (source)