Linaro · Lava · CVE-2018-12563
**Name of the Vulnerable Software and Affected Versions**
Linaro LAVA versions prior to 2018.5.post1
**Description**
An issue was discovered that allows a user to force lava-server-gunicorn to download any file from the filesystem if it's readable by lavaserver and valid yaml, due to support for file: URLs.
**Recommendations**
For versions prior to 2018.5.post1, update to version 2018.5.post1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files on the filesystem to prevent unauthorized downloads.