Product:

Lava

(Linaro)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 6
Date Id Summary Products Score Patch Annotated
2022-10-13 CVE-2022-42902 In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server. Debian_linux, Lava 8.8
2022-11-18 CVE-2022-44641 In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service. Debian_linux, Lava 6.5
2022-11-18 CVE-2022-45132 In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server. Lava 9.8
2018-06-19 CVE-2018-12565 An issue was discovered in Linaro LAVA before 2018.5.post1. Because of use of yaml.load() instead of yaml.safe_load() when parsing user data, remote code execution can occur. Debian_linux, Lava N/A
2018-06-19 CVE-2018-12564 An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid yaml. Debian_linux, Lava 6.5
2018-06-19 CVE-2018-12563 An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for file: URLs, a user can force lava-server-gunicorn to download any file from the filesystem if it's readable by lavaserver and valid yaml. Lava 6.5