CVE-2022-42902

NameCVE-2022-42902
DescriptionIn Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3192-1, DSA-5260-1
Debian Bugs1021737

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lava (PTS)buster2019.01-5vulnerable
buster (security)2019.01-5+deb10u1fixed
bullseye2020.12-5vulnerable
bullseye (security)2020.12-5+deb11u1fixed
sid2022.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lavasourcebuster2019.01-5+deb10u1DLA-3192-1
lavasourcebullseye2020.12-5+deb11u1DSA-5260-1
lavasource(unstable)2022.10-11021737

Notes

https://git.lavasoftware.org/lava/lava/-/merge_requests/1834
https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834

Search for package or bug name: Reporting problems