Published: 13/10/2022 Updated: 02/02/2023

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 0

In Linaro Automated Validation Architecture (LAVA) prior to 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.

Vulnerable Product	Search on Vulmon	Subscribe to Product
linaro lava
debian debian linux 10.0
debian debian linux 11.0

Debian Bug report logs - #1021737 lava: CVE-2022-42902 Package: src:lava; Maintainer for src:lava is Debian LAVA team <pkg-linaro-lava-devel@listsaliothdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Thu, 13 Oct 2022 19:15:02 UTC Severity: grave Tags: security, upstream Reply or subscribe ...

Igor Ponomarev discovered that LAVA, a continuous integration system for deploying operating systems onto physical and virtual hardware for running tests, used exec() on input passed to the server component For the stable distribution (bullseye), this problem has been fixed in version 202012-5+deb11u1 We recommend that you upgrade your lava pack ...

NVD-CWE-noinfo https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834 https://git.lavasoftware.org/lava/lava/-/merge_requests/1834 https://www.debian.org/security/2022/dsa-5260 https://lists.debian.org/debian-lts-announce/2022/11/msg00019.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021737 https://nvd.nist.gov https://www.debian.org/security/2022/dsa-5260

CVE-2022-42902

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect