CVE-2023-35926 Information

Description

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox as it by design allows for code injection. The library used for this sandbox so far has been vm2 but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of @backstage/plugin-scaffolder-backend.

Reference

https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr https://github.com/backstage/backstage/releases/tag/v1.15.0 https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a