Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Critical RCE Flaw Reported in Spotify’s Backstage Software Catalog and Developer Platform

November 15, 2022
Backstage Software Catalog and Developer Platform

Spotify’s Backstage has actually been found as prone to a serious safety and security problem that might be manipulated to get remote code implementation by leveraging a just recently revealed insect in a third-party component.

The susceptability (CVSS rating: 9.8), at its core, makes use of a crucial sandbox getaway in vm2, a preferred JavaScript sandbox collection (CVE-2022-36067 also known as Sandbreak), that emerged last month.

” An unauthenticated danger star can carry out approximate system regulates on a Backstage application by making use of a vm2 sandbox getaway in the Scaffolder core plugin,” application safety and security company Oxeye stated in a report shown The Cyberpunk Information.

Backstage is an open resource developer portal from Spotify that enables customers to develop, take care of, as well as discover software application elements from a combined “front door” It’s utilized by many companies like Netflix, DoorDash, Roku, as well as Expedia, to name a few.

According to Oxeye, the problem is rooted in a device called software templates that can be utilized to develop elements within Backstage.

Backstage Software Catalog and Developer Platform
Screenshot reveals Backstage calling the renderTemplate feature (that calls renderString2) two times in case of a mistake.

While the design template engine makes use of vm2 to minimize the danger connected with running untrusted code, the sandbox getaway problem in the last made it feasible to carry out approximate system regulates beyond the safety and security border.

Oxeye stated it had the ability to determine greater than 500 publicly-exposed Backstage circumstances on the net, which might after that be from another location weaponized by an opponent without needing any kind of consent.


Adhering to liable disclosure on August 18, the problem was resolved by the task maintainers in version 1.5.1 launched on August 29, 2022.

” The origin of any kind of template-based VM getaway is obtaining JavaScript implementation civil liberties within the design template,” the Israeli business kept in mind. “By utilizing ‘logic-less’ design template engines such as Mustache, you can stay clear of presenting server-side design template shot susceptabilities.”

” Dividing the reasoning from the discussion as high as feasible can substantially lower your direct exposure to one of the most unsafe template-based assaults,” it additionally included.

Posted in SecurityTags:
Write a comment