Published: 19/06/2018 Updated: 10/08/2018

CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 356

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

An issue exists in Linaro LAVA prior to 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid yaml.

Vulnerable Product	Search on Vulmon	Subscribe to Product
linaro lava
debian debian linux 8.0
debian debian linux 9.0

Two vulnerabilities were discovered in LAVA, a continuous integration system for deploying operating systems for running tests, which could result in information disclosure of files readable by the lavaserver system user or the execution of arbitrary code via a XMLRPC call For the stable distribution (stretch), these problems have been fixed in ve ...

CWE-20 https://git.linaro.org/lava/lava.git/commit/?id=95a9a77b144ced24d7425d6544ab03ca7f6c75d3 https://www.debian.org/security/2018/dsa-4234 https://lists.debian.org/debian-lts-announce/2018/06/msg00011.html https://nvd.nist.gov https://www.debian.org/security/./dsa-4234

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2018-12564

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect