CVE-2022-45132

In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.
Configurations

Configuration 1 (hide)

cpe:2.3:a:linaro:lava:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:54

Type Values Removed Values Added
References
  • {'url': 'https://lists.lavasoftware.org/archives/list/lava-announce@lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/', 'name': 'https://lists.lavasoftware.org/archives/list/lava-announce@lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/', 'tags': ['Mailing List', 'Patch', 'Vendor Advisory'], 'refsource': 'MISC'}
  • () https://lists.lavasoftware.org/archives/list/lava-announce%40lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/ -

Information

Published : 2022-11-18 23:15

Updated : 2024-02-28 19:51


NVD link : CVE-2022-45132

Mitre link : CVE-2022-45132

CVE.ORG link : CVE-2022-45132


JSON object : View

Products Affected

linaro

  • lava
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')