A severe security vulnerability in Backstage, a CNCF-incubated, open-source project by Spotify, has been disclosed recently. The vulnerability could allow remote code execution attacks thanks to another issue in a third-party module. This issue, known as CVE-2022-36067, is a critical sandbox escape in vm2, a well-known JavaScript sandbox library.
CVE-2022-36067 and the Connection to Spotify’s Backstage Vulnerability
What is the official description of CVE-2022-36067? “vm2 is a sandbox that can run untrusted code with whitelisted Node’s built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” according to the National Vulnerability Database.
CVE-2022-36067 was patched in the release of version 3.9.11 of vm2, with no known workarounds.
What about Spotify’s Backstage vulnerability? Discovered by Oxeye’s research team, the vulnerability leverages a VM sandbox escape via the vm2 third-party library. In terms of its impact, the vulnerability could be exploited by an unauthenticated threat actor to execute arbitrary commands on a Backstage application by leveraging a vm2 sandbox escape in the Scaffolder core plugin.
Backstage is an open-source developer portal by Spotify that enables the creation and management of software components from a unified front door. It is noteworthy that many other companies use Backstage, including names such as Expedia and Netflix. The researchers say that the flaw stems from a tool called “software templates” that creates components within Backstage.
Oxeye made a responsible disclosure on August 18 2022, and the issue was fixed by the project maintainers in Backstage version 1.5.1 shortly after. If you are using Backstage in your organization, the team strongly recommends updating it to the latest version. “Moreover, if you’re using a template engine in your application, make sure you choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to your organization,” the company added.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: