Published: 18/11/2022 Updated: 07/11/2023

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

In Linaro Automated Validation Architecture (LAVA) prior to 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.

Vulnerable Product	Search on Vulmon	Subscribe to Product
linaro lava

Debian Bug report logs - #1024428 lava: CVE-2022-45132: Code execution in jinja templates Package: src:lava; Maintainer for src:lava is Debian LAVA team <pkg-linaro-lava-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 19 Nov 2022 10:51:02 UTC Severity: grave Tags: secu ...

CWE-94 https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/https://lists.lavasoftware.org/archives/list/lava-announce%40lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024428 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2022-45132

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect