CVE-2022-45132 — Code Injection in Lava

CWE-94 — Code Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

4.7%

top 10.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linaro Lava Debian Lava

Timeline

PublishedNov 18

Latest updateNov 19

Description

In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDlinaro/lava< 2022.11.1

▶Debianlinaro/lava< 2023.01-1+1

▶debiandebian/lava< lava 2023.01-1 (bookworm)

🔴Vulnerability Details

GHSA

GHSA-wjxx-hxfj-hfmh: In Linaro Automated Validation Architecture (LAVA) before 2022↗2022-11-19

▶

OSV

CVE-2022-45132: In Linaro Automated Validation Architecture (LAVA) before 2022↗2022-11-18

▶

📋Vendor Advisories

Debian

CVE-2022-45132: lava - In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code...↗2022

▶