CVE-2022-42902

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.

Linaro Automated Validation Architecture (LAVA) versiones anteriores a 2022.10, se presenta una ejecución de código dinámico en el archivo lava_server/lavatable.py. Debido a un saneo inapropiado de la entrada, un usuario anónimo puede forzar al servicio lava-server-gunicorn a ejecutar código proporcionado por el usuario en el servidor

*Credits: N/A

CVSS Scores

NISTv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-10-13 CVE Reserved
2022-10-13 CVE Published
2024-08-01 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/11/msg00019.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834	2023-02-02
https://git.lavasoftware.org/lava/lava/-/merge_requests/1834	2023-02-02

URL	Date	SRC
https://www.debian.org/security/2022/dsa-5260	2023-02-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linaro Search vendor "Linaro"		Lava Search vendor "Linaro" for product "Lava"				< 2022.10 Search vendor "Linaro" for product "Lava" and version " < 2022.10"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected