CVE-2023-35926

2023-06-2214:15:09

CWE-94

[email protected]

web.nvd.nist.gov

backstage

plugin

scaffolder-backend

remote code execution

cve-2023-35926

security vulnerability

nvd

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.0%

JSON

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been vm2, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of @backstage/plugin-scaffolder-backend.

Affected configurations

Vulners

NVD

Node

backstagebackstageRange<1.15.0

VendorProductVersionCPE
backstagebackstage*cpe:2.3:a:backstage:backstage:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
backstage	backstage	*	cpe:2.3:a:backstage:backstage::::::::

CNA Affected

[
  {
    "vendor": "backstage",
    "product": "backstage",
    "versions": [
      {
        "version": "< 1.15.0",
        "status": "affected"
      }
    ]
  }
]