Oxeye to Announce New Vulnerability in Spotify’s Backstage with CVSS Score of 9.8/10
November 2022 by Oxeye research
On Tuesday, November 15th, Oxeye’s Security Research Team will announce the discovery of a new vulnerability in Spotify’s Backstage.
Backstage is a development environment that unifies all infrastructure tooling, services, and documentation. Having more than 19,000 stars on Github, it is one of the most popular open-source platforms for building developer portals and is in widespread use by Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, Palo Alto Networks and many others.
With this discovery, the exploitation of a vm2 sandbox escape in the Scaffolder core plugin will give threat actors the ability to execute arbitrary system commands on a Backstage application. It is critical this vulnerability is addressed without delay.