Music Platform Spotify couldn’t stop from being a prey in the hands of cyberattack.
Spotify’s Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module.
“An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin,” application security firm Oxeye said in a report shared with The Hacker News.
According to Oxeye, the security flaw is rooted in a tool called software templates that can be used to create components within Backstage.
While the template engine utilizes vm2 to mitigate the risk associated with running untrusted code, the sandbox escape flaw in the latter made it possible to execute arbitrary system commands outside of the security perimeter.
Oxeye said it was able to identify more than 500 publicly-exposed Backstage instances on the internet, which could then be remotely weaponized by an adversary without requiring any authorization.
Following responsible disclosure on August 18, the issue was addressed by the project maintainers in version 1.5.1 released on August 29, 2022.
“Separating the logic from the presentation as much as possible can greatly reduce your exposure to the most dangerous template-based attacks,” it further added.