Experts found critical RCE in Spotify’s BackstageSecurity Affairs
Researchers discovered a critical vulnerability affecting Spotify’s Backstage Software Catalog and Developer Platform.
Researchers from security firm Oxeye discovered a critical remote code execution in Spotify’s Backstage (CVSS score of 9.8). Backstage is Spotify’s open source platform for building developer portals, it is used by a number of organizations including American Airlines, Netflix, Splunk, Fidelity Investments and Epic Games.
The issue can be exploited by triggering a recently disclosed VM sandbox escape vulnerability (CVE-2022-36067 aka Sandbreak) in the vm2 third-party library.
Oxeye researchers reported this RCE vulnerability via Spotify’s bug bounty program, and the Backstage development team quickly fixed it with the release of version 1.5.1.
“An unauthenticated threat actor could execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin.” reads the message published by Oxeye.
The vulnerability resides in the software template tools that allow developers to create components in Backstage.
The researchers explained that the template engine uses the vm2 library to prevent the execution of untrusted code.
The researchers run a simple query for the Backstage favicon hash in Shodan and discovered more than 500 Backstage instances exposed to the internet.
The experts noted that Backstage is deployed by default without an authentication mechanism or an authorization mechanism, which allows guest access. Some of the publicly exposed Backstage instances required no authentication.
Further testing allowed the experts to determine that the vulnerability could be exploited without authentication in many cases.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(Security matters – hacking, Spotify’s Backstage)