CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Critical RCE Flaw Reported in Spotify’s Backstage Software Catalog and Developer Platform

admin by admin
November 15, 2022
in Information Security


Spotify’s Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module.

The vulnerability (CVSS score: 9.8), at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library (CVE-2022-36067 aka Sandbreak), that came to light last month.

“An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin,” application security firm Oxeye said in a report shared with The Hacker News.

Backstage is an open source developer portal from Spotify that allows users to create, manage, and explore software components from a unified “front door.” It’s used by many companies like Netflix, DoorDash, Roku, and Expedia, among others.

According to Oxeye, the flaw is rooted in a tool called software templates that can be used to create components within Backstage.

Backstage Software Catalog and Developer Platform
Screenshot shows Backstage calling the renderTemplate function (that calls renderString2) twice in the event of an error.

While the template engine utilizes vm2 to mitigate the risk associated with running untrusted code, the sandbox escape flaw in the latter made it possible to execute arbitrary system commands outside of the security perimeter.

Oxeye said it was able to identify more than 500 publicly-exposed Backstage instances on the internet, which could then be remotely weaponized by an adversary without requiring any authorization.

CyberSecurity

Following responsible disclosure on August 18, the issue was addressed by the project maintainers in version 1.5.1 released on August 29, 2022.

“The root of any template-based VM escape is gaining JavaScript execution rights within the template,” the Israeli company noted. “By using ‘logic-less’ template engines such as Mustache, you can avoid introducing server-side template injection vulnerabilities.”

“Separating the logic from the presentation as much as possible can greatly reduce your exposure to the most dangerous template-based attacks,” it further added.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Innerlinearlimitation ~ Future of CIO

Next Post

Initiatelevelsoffitness ~ Future of CIO

Related Posts

Information Security

Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data

by admin
March 24, 2023
Information Security

Automate the deployment of an NGINX web service using Amazon ECS with TLS offload in CloudHSM

by admin
March 24, 2023
Information Security

AV-Comparatives Anti-Phishing Test | Avast

by admin
March 24, 2023
Information Security

Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts

by admin
March 23, 2023
Information Security

New Instagram scam uses fake SHEIN gift cards as lure

by admin
March 23, 2023
Next Post

Initiatelevelsoffitness ~ Future of CIO

Recommended

Illuminatesilience

March 25, 2023

Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data

March 24, 2023

Automate the deployment of an NGINX web service using Amazon ECS with TLS offload in CloudHSM

March 24, 2023

AV-Comparatives Anti-Phishing Test | Avast

March 24, 2023

Innateniche

March 24, 2023

The Importance of Sustainable Technology

March 23, 2023

© 2022 CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.