In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.
CPE | Name | Operator | Version |
---|---|---|---|
debian_linux | eq | 10.0 | |
debian_linux | eq | 11.0 | |
lava | lt | 2022.10 |