CVE-2023-35926 - Vulnerability Details - OpenCVE

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Linuxfoundation	Backstage

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a
https://github.com/backstage/backstage/releases/tag/v1.15.0
https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr

History

Thu, 05 Dec 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-22T13:29:03.361Z

Updated: 2024-12-05T17:48:07.987Z

Reserved: 2023-06-20T14:02:45.592Z

Link: CVE-2023-35926

Vulnrichment

Updated: 2024-08-02T16:37:40.040Z

NVD

Status : Modified

Published: 2023-06-22T14:15:09.607

Modified: 2024-11-21T08:08:59.457

Link: CVE-2023-35926

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-35926", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-20T14:02:45.592Z", "datePublished": "2023-06-22T13:29:03.361Z", "dateUpdated": "2024-12-05T17:48:07.987Z"}, "containers": {"cna": {"title": "Insecure sandbox in Backstage Scaffolder plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"}, {"name": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"}, {"name": "https://github.com/backstage/backstage/releases/tag/v1.15.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/backstage/backstage/releases/tag/v1.15.0"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "< 1.15.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-22T13:29:03.361Z"}, "descriptions": [{"lang": "en", "value": "Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`."}], "source": {"advisory": "GHSA-wg6p-jmpc-xjmr", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:37:40.040Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"}, {"name": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"}, {"name": "https://github.com/backstage/backstage/releases/tag/v1.15.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/backstage/backstage/releases/tag/v1.15.0"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-05T17:47:53.884189Z", "id": "CVE-2023-35926", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-05T17:48:07.987Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr", "name": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a", "name": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/backstage/backstage/releases/tag/v1.15.0", "name": "https://github.com/backstage/backstage/releases/tag/v1.15.0", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:37:40.040Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-35926", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-05T17:47:53.884189Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-05T17:47:58.528Z"}}], "cna": {"title": "Insecure sandbox in Backstage Scaffolder plugin", "source": {"advisory": "GHSA-wg6p-jmpc-xjmr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"status": "affected", "version": "< 1.15.0"}]}], "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr", "name": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a", "name": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/backstage/backstage/releases/tag/v1.15.0", "name": "https://github.com/backstage/backstage/releases/tag/v1.15.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-22T13:29:03.361Z"}}}, "cveMetadata": {"cveId": "CVE-2023-35926", "state": "PUBLISHED", "dateUpdated": "2024-12-05T17:48:07.987Z", "dateReserved": "2023-06-20T14:02:45.592Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-06-22T13:29:03.361Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*", "matchCriteriaId": "41D3145E-0089-49C3-AFAA-7994C26E230A", "versionEndExcluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`."}], "id": "CVE-2023-35926", "lastModified": "2024-11-21T08:08:59.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-22T14:15:09.607", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/backstage/backstage/releases/tag/v1.15.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/backstage/backstage/releases/tag/v1.15.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-wg6p-jmpc-xjmr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}