CVE-2022-42902

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Linaro Automated Validation Architecture (LAVA) versions prior to 2022.10

Description The issue is related to dynamic code execution in lava server/lavatable.py due to improper input sanitization. This allows an anonymous user to force the lava-server-gunicorn service to execute user-provided code on the server.

Recommendations For versions prior to 2022.10, update to version 2022.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the lava-server-gunicorn service to minimize the risk of exploitation.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2022-42902

DLA-3192-1

DSA-5260-1

Affected Products

Lava

CVE-2022-42902

Weakness Enumeration

Related Identifiers

Affected Products

References · 13