CVE-2023-35926
CVSS 3.1 Score 9.9 of 10 (high)
Details
Summary
CVE-2023-35926 is a vulnerability affecting the Backstage developer portal platform, specifically the `@backstage/plugin-scaffolder-backend`. The plugin utilizes a templating library with a sandbox feature, which, due to its design, can allow for code injection. This issue arises from the use of the `vm2` library for the sandbox, which has a history of vulnerabilities and may not be fully patched. A malicious actor with write access to registered scaffolder templates could manipulate them to perform remote code execution on the scaffolder-backend instance. The vulnerability was limited to the YAML template definition and not user input data. This issue has been resolved in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Linuxfoundation Backstage
Affected Vendors
- Linux Foundation