CVE-2022-45132

In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 89%
VendorProductVersion
linarolava
𝑥
< 2022.11.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lava
bullseye (security)
2020.12-5+deb11u2
fixed
bullseye
2020.12-5+deb11u2
not-affected
buster
not-affected
bookworm
2023.01-2
fixed
sid
2023.01-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lava
lunar
not-affected
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://lists.lavasoftware.org/archives/list/lava-announce%40lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/
https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
https://lists.lavasoftware.org/archives/list/lava-announce%40lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/
https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/