Researchers discovered a critical vulnerability impacting Spotify’s Backstage Software Catalog and Developer Platform.
Researchers from the security firm Oxeye discovered a critical Remote Code Execution in Spotify’s Backstage (CVSS Score of 9.8). Backstage is Spotify’s open-source platform for building developer portals, it’s used by a several organizations, including American Airlines, Netflix, Splunk, Fidelity Investments and Epic Games.
The issue can be exploited by triggering a recently disclosed VM sandbox escape vulnerability (CVE-2022-36067 aka Sandbreak) in the vm2 third-party library.
Oxeye researchers reported this RCE vulnerability via Spotify’s bug bounty program, and the Backstage development team quickly fixed it with the release of version 1.5.1.
“An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin.” reads the advisory published by Oxeye.
The vulnerability resides in the software templates tools that allow developers to create components in Backstage.
The researchers explained that the template engine utilizes the vm2 library to prevent the execution of untrusted code.
The researchers run a simple query for the Backstage favicon hash in Shodan and discovered more than 500 Backstage instances exposed to the internet.
The experts noticed that Backstage is deployed by default without an authentication mechanism or an authorization mechanism, which allows guest access. Some of the publicly-exposed Backstage instances did not require any authentication.
Further tests allowed the experts to determine that the vulnerability could be exploited without authentication on many instances.
(SecurityAffairs – hacking, Spotify’s Backstage)