Backstage TechDocs, Arbitrary Code Execution, CVE-2024-28157 (Critical)

Listen to this Post

The CVE-2024-28157 vulnerability exploits the TechDocs plugin in Backstage when configured to run documentation builds locally (runIn: local). An attacker with write access to a repository’s `mkdocs.yml` file can inject malicious configuration into the `hooks` section, a feature introduced in MkDocs 1.4.0. These hooks allow custom Python code execution during the MkDocs build process. TechDocs, using the vulnerable `@backstage/plugin-techdocs-node` package, does not properly sanitize the `mkdocs.yml` input before passing it to the MkDocs generator. When TechDocs processes a malicious `mkdocs.yml` file, the embedded Python hooks are executed on the build server with the same privileges as the TechDocs service, leading to arbitrary code execution. This compromises the build server, allowing data theft, lateral movement, or further attacks within the infrastructure.
Platform: Backstage TechDocs
Version: <1.13.11, <1.14.1
Vulnerability : Arbitrary Code Execution
Severity: Critical
date: 2024-03-20

Prediction: Patched 2024-03-20

What Undercode Say:

Analytics:

Check TechDocs version
npm list @backstage/plugin-techdocs-node
Sample malicious mkdocs.yml snippet
hooks:
on_pre_build:
- python -c "import os; os.system('cat /etc/passwd')"

how Exploit:

Attacker modifies `mkdocs.yml` in a repo with malicious hooks. TechDocs builds docs locally, executing the Python code.

Protection from this CVE

Upgrade to patched versions. Use runIn: docker. Restrict repo access.

Impact:

Arbitrary code execution on build server, full compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top