Backstage, Spotify’s open platform venture for constructing developer portals was carrying a high-severity vulnerability that allowed potential menace actors to remotely execute unauthenticated code within the venture. The flaw was found by cloud-native software safety suppliers Oxeye, and was subsequently patched by Spotify.

Customers are urged to replace Backstage to model 1.5.1, which fixes the difficulty.

Explaining how they found the vulnerability, Oxeye’s researchers mentioned they exploited a VM sandbox escape via the third-party library in vm2, ensuing within the potential to conduct unauthenticated distant code execution. 

Template-based assaults

“By exploiting a vm2 sandbox escape within the Scaffolder core plugin, which is utilized by default, unauthenticated menace actors have the power to execute arbitrary system instructions on a Backstage software,” mentioned Yuval Ostrovsky, Software program Architect for Oxeye. “Important cloud-native software vulnerabilities like this one have gotten extra pervasive and it’s important these points are addressed at once.”

“What caught our consideration on this case had been Backstage software program templates and the potential for template-based assaults,” mentioned Daniel Abeles, Head of Analysis at Oxeye. “In reviewing how you can confine this threat, we seen that the templating engine might be manipulated to run shell instructions through the use of user-controlled templates with Nunjucks exterior of an remoted setting.”

Backstage’s aim is to streamline growth setting by unifying all infrastructure tooling, companies, and documentation. Based on Oxeye, it has greater than 19,000 stars on GitHub, making it some of the standard open-source platforms for constructing developer portals. Spotify, American Airways, Netflix, Splunk, Constancy Investments, Epic Video games, and Palo Alto Networks, are simply a few of the firms utilizing Backstage. 

Additional explaining the issue and potential treatments, the researchers mentioned the basis of a template-based VM escape was in a position to achieve JavaScript execution rights inside the template. Logic-less template engines equivalent to Mustache stop the introduction of server-side template injection, thus eliminating the difficulty, it was defined. 

“If utilizing a template engine in an software, ensure to decide on the suitable one in relation to safety. Strong template engines are extraordinarily helpful however would possibly pose a threat to the group,” mentioned Gal Goldshtein, Senior Safety Researcher at Oxeye. “If utilizing Backstage, we strongly suggest updating it to the most recent model to defend in opposition to this vulnerability as quickly as potential.”

• Try the very best endpoint safety (opens in new tab) companies round