Security researchers from Oxeye have discovered a vulnerability in the Cloud Native Computing Foundation (CNCF) incubated project Backstage utilized by Spotify. According to the researchers, the flaw could be exploited to conduct remote code execution. The Oxeye research team was able to exploit a virtual machine sandbox escape via a third-party library named vm2. Oxeye has reported the vulnerability to Spotify’s bug bounty program, and the team has since patched it.
Spotify has ranked the vulnerability as critical, giving it a CVSS score of 9.8 out of 10. Successful exploitation of the flaw could have critical implications for organizations, Spotify says. Oxeye was able to execute the payload locally and assess the potential impact if the vulnerability were to be exploited by a threat actor. Backstage is deployed by default without an authentication mechanism, the security researchers reported. Additionally, researchers reported that some of the servers accessible to the internet did not require any authentication.