Cyber Resilience

CVE-2023-35926

HighRCE

Published: 22 June 2023

Published
22 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0915 92.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35926 is a high-severity Code Injection (CWE-94) vulnerability in Linuxfoundation Backstage. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a code injection flaw (CWE-94) in the Backstage scaffolder-backend plugin, which previously relied on the vm2 library to sandbox template execution. Affected software is the @backstage/plugin-scaffolder-backend package prior to version 1.15.0; the component allows registered templates to execute code by design, but the sandbox was insufficient to prevent escape.

An attacker with write access to a registered scaffolder template can craft the template YAML definition to achieve remote code execution on the scaffolder-backend instance. Exploitation is limited to the template itself and cannot be triggered through ordinary user-supplied input data; the CVSS 8.0 score reflects the high impact combined with the requirement for high-privilege access and a complex attack path.

Advisories and patches published by the Backstage project state that the issue is resolved in @backstage/plugin-scaffolder-backend 1.15.0 by replacing vm2 with an alternative sandboxing library. The fix is documented in the project’s GitHub security advisory GHSA-wg6p-jmpc-xjmr and the corresponding release notes and commit.

EPSS remains flat at a peak of 0.0915 with no material increase after disclosure.

EU & UK References

Vulnerability details

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but…

more

in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linuxfoundation
backstage
≤ 1.15.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References