CVE-2022-44641 — XML Entity Expansion in Lava

CWE-776 — XML Entity Expansion4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 35.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linaro Lava Debian Lava Debian Linux

Timeline

PublishedNov 18

Description

In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDlinaro/lava< 2022.11

▶Debianlinaro/lava< 2020.12-5+deb11u2+2

▶debiandebian/lava< lava 2023.01-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

OSV

CVE-2022-44641: In Linaro Automated Validation Architecture (LAVA) before 2022↗2022-11-18

▶

GHSA

GHSA-hj7c-g88c-mq5v: In Linaro Automated Validation Architecture (LAVA) before 2022↗2022-11-18

▶

📋Vendor Advisories

Debian

CVE-2022-44641: lava - In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with va...↗2022

▶