CVE-2022-45132

Name of the Vulnerable Software and Affected Versions Linaro Automated Validation Architecture (LAVA) versions prior to 2022.11.1

Description The issue allows remote code execution through user-submitted Jinja2 templates. Specifically, the REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template, which can be exploited to trigger remote code execution in the LAVA server.

Recommendations For versions prior to 2022.11.1, update to version 2022.11.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API endpoint responsible for validating device configuration files in lava-server until the update is applied.