CVE-2023-35926
published 2023-06-22CVE-2023-35926: Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by…
PriorityP266critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
1.89%
76.9th percentile
Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| backstage | backstage | < 1.15.0 | 1.15.0 |
| backstage | plugin-scaffolder-backend | >= 0 < 1.15.0 | 1.15.0 |
| linuxfoundation | backstage | < 1.15.0 | 1.15.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Backstage Scaffolder plugin has insecure sandbox
osv·2023-06-21
CVE-2023-35926 [HIGH] Backstage Scaffolder plugin has insecure sandbox
Backstage Scaffolder plugin has insecure sandbox
The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library.
### Impact
A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data.
### Patches
This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.
GHSA
Backstage Scaffolder plugin has insecure sandbox
ghsa·2023-06-21
CVE-2023-35926 [HIGH] CWE-94 Backstage Scaffolder plugin has insecure sandbox
Backstage Scaffolder plugin has insecure sandbox
The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library.
### Impact
A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data.
### Patches
This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949ahttps://github.com/backstage/backstage/releases/tag/v1.15.0https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmrhttps://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949ahttps://github.com/backstage/backstage/releases/tag/v1.15.0https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr
2023-06-22
Published