CVE-2023-35926

CVSS 3.1 Score 9.9 of 10 (high)

Details

Published Jun 22, 2023
Updated: Jun 29, 2023
CWE ID 94

Summary

CVE-2023-35926 is a vulnerability affecting the Backstage developer portal platform, specifically the `@backstage/plugin-scaffolder-backend`. The plugin utilizes a templating library with a sandbox feature, which, due to its design, can allow for code injection. This issue arises from the use of the `vm2` library for the sandbox, which has a history of vulnerabilities and may not be fully patched. A malicious actor with write access to registered scaffolder templates could manipulate them to perform remote code execution on the scaffolder-backend instance. The vulnerability was limited to the YAML template definition and not user input data. This issue has been resolved in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Linuxfoundation Backstage

Affected Vendors

  • Linux Foundation

Advisories, Assessments, and Mitigations

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2023-35926 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database