A critical unauthenticated remote code execution vulnerability in Spotify’s Backstage project has been found and fixed, and developers are advised to take immediate action in their environments.
What is all about backstage ?
Backstage is one of the most popular open-source platforms for building developer portals and is in widespread use by Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, Palo Alto Networks and many others.
NPM is short for Node Package Manager, an automated toolkit for ensuring that your back-end JavaScript code can easily make use of a wide range of open source libraries that provide popular, pre-written helper tools for everything from cryptography and database management to logging and version control.
Vulnerability
Unfortunately, the bug disclosed today, if unpatched, could give unauthenticated outsiders (loosely, anyone who can make API connections to your servers) a way to trigger remote code execution (RCE) inside the business-logic servers on your network.
Oxeye researchers reported the vulnerability through Spotify’s bug bounty program, and Spotify rapidly patched the vulnerability and released Backstage version 1.5.1, which fixes the issue.
That CVE-2022-36067 bug in vm2 was reported back in August 2022 by Oxeye itself (who gave it a PR-friendly name of “Sandbreak”, because it broke out of the sandbox), and patched promptly by the vm2 team almost three months ago.
More details about the vulnerabilty can be found here.
Leave A Comment