RCE vulnerability affecting v1beta3 templates in @backstage/plugin-scaffolder-backend

The templating library used by the scaffolder backend assumes that templates are trusted which is an undesired property of the scaffolder-backend. This has now been mitigated by sandboxing the template code execution.

Impact

A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template yaml definition itself and not by user input data.

Patches

This is vulnerability is patched in version 0.15.14 of @backstage/plugin-scaffolder-backend.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our chat, linked to in Backstage README

Published: Dec 1, 2021
Updated: Apr 14, 2023
GHSA: GHSA-2g8g-63j4-9w3r
Severity: High
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
@backstage / plugin-scaffolder-backend	-	0.15.14

https://github.com/backstage/backstage/security/advisories/GHSA-2g8g-63j4-9w3r

Vulnerability Database

RCE vulnerability affecting v1beta3 templates in @backstage/plugin-scaffolder-backend

Impact

Patches

For more information

Deep Security Visibility Without the Complexity