PT-2018-11258 · Linaro · Lava

Published

2018-06-19

Updated

2019-09-18

CVE-2018-12565

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Linaro LAVA versions prior to 2018.5.post1

Description An issue allows remote code execution due to the use of yaml.load() instead of yaml.safe load() when parsing user data.

Recommendations For versions prior to 2018.5.post1, update to version 2018.5.post1 or later to resolve the issue. As a temporary workaround, consider restricting the use of user data parsing functionality until a patch is available.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-12565

DSA-4234-1

Affected Products

Lava

PT-2018-11258 · Linaro · Lava

CVE-2018-12565

Weakness Enumeration

Related Identifiers

Affected Products

References · 12