A security flaw in Spotify’s open-source, Cloud Native Computing Foundation (CNCF)-incubated project Backstage has been discovered that could lead to threat actors performing RCE.
The findings come after a team of security researchers, managed to exploit a virtual machine sandbox escape via a third-party library named vm2. The RCE is rated as critical with a CVSS score of 9.8
Successful exploitation has critical implications for any affected organization and can compromise those services and the data they hold.
Once the researchers successfully executed the payload locally, they attempted to assess the potential impact of such a vulnerability if exploited in the wild. Also, researchers discovered that Backstage was being deployed by default without an authentication mechanism or an authorization mechanism, which allowed guest access.
Researchers tried to set up a local Backstage instance that requires authentication, following tutorial guidelines originally maintained by the platform.
In other words, when trying to send requests directly to the backend API server of some internet-exposed instances, the researchers found that a handful did not require any form of authentication or authorization.
To mitigate the impact of this vulnerability, Spotify has urged companies and individuals to update to the latest version of Backstage.
Moreover, if you’re using a template engine in your application, make sure you choose the right one in relation to security, Robust template engines are extremely useful but might pose a risk to your organization.
This research was documented by researchers from Oxeye