Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insecure sandbox in Backstage Scaffolder plugin
Vulnerability Description
Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Backstage 代码注入漏洞
Vulnerability Description
Backstage是一个应用软件。后台是一个开放的平台,用于构建开发者门户。 Backstage 1.15.0之前版本存在代码注入漏洞,该漏洞源于允许攻击者在基架文件夹后端实例上执行远程代码。
CVSS Information
N/A
Vulnerability Type
N/A