Vulnerability Details : CVE-2022-42902
In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.
Products affected by CVE-2022-42902
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:linaro:lava:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-42902
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-42902
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
References for CVE-2022-42902
-
https://www.debian.org/security/2022/dsa-5260
Debian -- Security Information -- DSA-5260-1 lavaThird Party Advisory
-
https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834
Replace dynamic code execution in lava_server/lavatable.py (e66b74cd) · Commits · lava / lava · GitLabPatch;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2022/11/msg00019.html
[SECURITY] [DLA 3192-1] lava security updateMailing List;Third Party Advisory
-
https://git.lavasoftware.org/lava/lava/-/merge_requests/1834
Replace dynamic code compilation (exec) in lava_server/lavatable.py (!1834) · Merge requests · lava / lava · GitLabIssue Tracking;Patch;Vendor Advisory
Jump to