8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-35926

GHSA ID

GHSA-wg6p-jmpc-xjmr

EPSS Score

0.83761%

CWE

CWE-94

Published

6/21/2023

Updated

11/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-35926

CVE-2023-35926:
Backstage Scaffolder plugin has insecure sandbox

The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been vm2, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library.

Impact

A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data.

Patches

This is vulnerability is fixed in version 1.15.0 of @backstage/plugin-scaffolder-backend.

Workarounds

Note that the Backstage Threat Model states that scaffolder templates are considered to be a sensitive area that with the recommendation that you control access and perform manual reviews of changes to the scaffolder templates. The exploit is of a nature where it is easily discoverable in manual review.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-35926

GHSA ID

GHSA-wg6p-jmpc-xjmr

EPSS Score

0.83761%

CWE

CWE-94

Published

6/21/2023

Updated

11/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@backstage/plugin-scaffolder-backend	npm	< 1.15.0	1.15.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the use of vm2 library for sandboxing template execution. The commit diff shows replacement of vm2 with isolated-vm in SecureTemplater.ts, indicating this was the vulnerable implementation point. While the exact function name isn't shown in the diff, the SecureTemplater class is directly responsible for sandboxed template execution. The CWE-94 (Code Injection) classification and advisory details confirm this was an insecure code generation control issue in the sandbox implementation. The high confidence comes from: 1) Explicit library replacement in the patch, 2) CWE mapping to code injection in templating, 3) Advisory stating RCE via template manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ***kst*** s****ol**r-***k*n* plu*in us*s * t*mpl*tin* li*r*ry t**t r*quir*s * s*n**ox, *s it *y **si*n *llows *or *o** inj**tion. T** li*r*ry us** *or t*is s*n**ox so **r **s ***n `vm*`, *ut in li**t o* s*v*r*l p*st vuln*r**iliti*s *n* *xistin* v

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `vm*` li*r*ry *or s*n**oxin* t*mpl*t* *x**ution. T** *ommit *i** s*ows r*pl***m*nt o* `vm*` wit* `isol*t**-vm` in `S**ur*T*mpl*t*r.ts`, in*i**tin* t*is w*s t** vuln*r**l* impl*m*nt*tion point. W*il* t** *x**t `

8.1

Basic Information

Concerned about an active attack path?

CVE-2023-35926: Backstage Scaffolder plugin has insecure sandbox

Impact

Patches

Workarounds

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-35926:
Backstage Scaffolder plugin has insecure sandbox

Vulnerability Intelligence
Miggo AI