This blogpost is essentially using a previous sandbox escape they discovered against Backstage, which is Spotify's incubated solution for managing infrastructure and microservices and such.Backstage includes software templates, which can contain ` message` parameter that gets rendered in Nunjucks (a JS templating engine)...
A long chain of issues going from blind SSRF to new-line injection to a blind Livestatus Query Language (LQL) injection to arbitrary file deletion and finally a race condition leading to authentication bypass.
At its core, a simple, yet odd Linux kernel issue, `__io_req_init_async` assumes that the new request (`req`) being submitted was submitted by its own worker, so it sets the `req->work.identity` to `current->io_uring`.
A format-string bug in Trackmania Forever server accessible from server clients, pretty straight forward bug, input in a client RPC gets printed on the server.