Igor Ponomarev

**Name of the Vulnerable Software and Affected Versions** Linaro Automated Validation Architecture (LAVA) versions prior to 2022.11 **Description** The issue allows users with valid credentials to submit crafted XMLRPC requests, causing a recursive XML entity expansion. This leads to excessive use of memory on the server and results in a Denial of Service. **Recommendations** For versions prior to 2022.11, update to version 2022.11 or later to resolve the issue. As a temporary workaround, consider restricting access to XMLRPC requests until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linaro Automated Validation Architecture (LAVA) versions prior to 2022.11.1 **Description** The issue allows remote code execution through user-submitted Jinja2 templates. Specifically, the REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template, which can be exploited to trigger remote code execution in the LAVA server. **Recommendations** For versions prior to 2022.11.1, update to version 2022.11.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API endpoint responsible for validating device configuration files in lava-server until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Linaro Automated Validation Architecture (LAVA) versions prior to 2022.10 **Description** The issue is related to dynamic code execution in lava server/lavatable.py due to improper input sanitization. This allows an anonymous user to force the lava-server-gunicorn service to execute user-provided code on the server. **Recommendations** For versions prior to 2022.10, update to version 2022.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the lava-server-gunicorn service to minimize the risk of exploitation.