CVE-2022-42902

NameCVE-2022-42902
DescriptionIn Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3192-1, DSA-5260-1
Debian Bugs1021737

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lava (PTS)buster2019.01-5vulnerable
buster (security)2019.01-5+deb10u2fixed
bullseye (security), bullseye2020.12-5+deb11u2fixed
bookworm, sid2023.01-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lavasourcebuster2019.01-5+deb10u1DLA-3192-1
lavasourcebullseye2020.12-5+deb11u1DSA-5260-1
lavasource(unstable)2022.10-11021737

Notes

https://git.lavasoftware.org/lava/lava/-/merge_requests/1834
https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834
Search for package or bug name: Reporting problems