cve/2023/CVE-2023-35926.md

### [CVE-2023-35926](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35926)
![](https://img.shields.io/static/v1?label=Product&message=backstage&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%201.15.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-94%3A%20Improper%20Control%20of%20Generation%20of%20Code%20('Code%20Injection')&color=brighgreen)

### Description

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities  that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/leesh3288/leesh3288
Update CVE sources 2024-08-06 19:19 2024-08-06 19:19:10 +00:00			`### [CVE-2023-35926](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35926)`
			`![](https://img.shields.io/static/v1?label=Product&message=backstage&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%201.15.0%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-94%3A%20Improper%20Control%20of%20Generation%20of%20Code%20('Code%20Injection')&color=brighgreen)`

			`### Description`

			Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/leesh3288/leesh3288`