Cloud security firm Oxeye reported that its research team was able to gain remote code execution (RCE) in a popular cloud development toolkit called Backstage.
Originally started by Spotify and is now open-sourced on GitHub, Backstage is an open platform for building developer portals. In a Nov. 15 blog post, Oxeye researchers said they were able to gain remote code execution (RCE) by “exploiting a VM sandbox escape through the vm2 third-party library.”
The vulnerability has a CVSS score of 9.8 and was reported to Spotify, which patched the RCE in version 1.5.1.
Besides Spotify, Oxeye said American Airlines, Netflix and Splunk are just some of the organizations that use Backstage to integrate systems such as Prometheus, Jira and ElasticSearch, which can “compromise those services and the data they hold.”
As noted by Sophos’ Naked Security blog, the “Backstage RCE depends on a sequence of coding flaws that ultimately depend on a specific bug, designated CVE-2022-36067 in a supply-chain component that Backstage relies on called vm2,” which was reported by Oxeye in August and patched by the vm2 team.