Application security, Cloud Security, Supply chain

Remote code execution found in cloud development toolkit Backstage

The Spotify logo is displayed on the outside of the New York Stock Exchange building.
Backstage, an open-source toolkit originally developed by Spotify, has a vulnerability that could allow remote code execution, cloud security firm Oxeye reported. (Photo by Spencer Platt/Getty Images)

Cloud security firm Oxeye reported that its research team was able to gain remote code execution (RCE) in a popular cloud development toolkit called Backstage.

Originally started by Spotify and is now open-sourced on GitHub, Backstage is an open platform for building developer portals. In a Nov. 15 blog post, Oxeye researchers said they were able to gain remote code execution (RCE)  by “exploiting a VM sandbox escape through the vm2 third-party library.” 

The vulnerability has a CVSS score of 9.8 and was reported to Spotify, which patched the RCE in version 1.5.1. 

Besides Spotify, Oxeye said American Airlines, Netflix and Splunk are just some of the organizations that use Backstage to integrate systems such as Prometheus, Jira and ElasticSearch, which can “compromise those services and the data they hold.” 

As noted by Sophos’ Naked Security blog, the “Backstage RCE depends on a sequence of coding flaws that ultimately depend on a specific bug, designated CVE-2022-36067 in a supply-chain component that Backstage relies on called vm2,” which was reported by Oxeye in August and patched by the vm2 team.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.