CVE-2023-35926

Name of the Vulnerable Software and Affected Versions @backstage/plugin-scaffolder-backend versions prior to 1.15.0

Description The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, allowing for code injection. A malicious actor with write access to a registered scaffolder template could manipulate the template for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself, not by user input data.

Recommendations For versions prior to 1.15.0, update to version 1.15.0 of @backstage/plugin-scaffolder-backend to fix the issue. As a temporary workaround, consider controlling access to scaffolder templates and performing manual reviews of changes to these templates, as recommended by the Backstage Threat Model.