Published: 18/11/2022 Updated: 07/11/2023

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 0

In Linaro Automated Validation Architecture (LAVA) prior to 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service.

Vulnerable Product	Search on Vulmon	Subscribe to Product
linaro lava
debian debian linux 10.0
debian debian linux 11.0

Debian Bug report logs - #1024429 lava: CVE-2022-44641: Recursive XML entity expansion Package: src:lava; Maintainer for src:lava is Debian LAVA team <pkg-linaro-lava-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 19 Nov 2022 10:57:02 UTC Severity: important Tags: sec ...

Igor Ponomarev discovered that LAVA, a continuous integration system for deploying operating systems onto physical and virtual hardware for running tests, was suspectible to denial of service via recursive XML entity expansion For the stable distribution (bullseye), this problem has been fixed in version 202012-5+deb11u2 We recommend that you up ...

CWE-776 https://www.debian.org/security/2023/dsa-5318 https://lists.debian.org/debian-lts-announce/2023/01/msg00016.html https://lists.lavasoftware.org/archives/list/lava-announce%40lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024429 https://nvd.nist.gov https://www.debian.org/security/2023/dsa-5318

CVE-2022-44641

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect