Lucene search

K

Lava Security Vulnerabilities

cve
cve

CVE-2023-47659

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Lavacode Lava Directory Manager plugin <= 1.1.34...

6.5CVSS

5.2AI Score

0.0004EPSS

2023-11-14 05:15 PM
46
cve
cve

CVE-2023-46081

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Lavacode Lava Directory Manager plugin <= 1.1.34...

7.1CVSS

5.7AI Score

0.0005EPSS

2023-10-26 01:15 PM
23
cve
cve

CVE-2022-45132

In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger...

9.8CVSS

9.7AI Score

0.008EPSS

2022-11-18 11:15 PM
33
8
cve
cve

CVE-2022-44641

In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of...

6.5CVSS

6.2AI Score

0.001EPSS

2022-11-18 09:15 PM
26
4
cve
cve

CVE-2022-42902

In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the...

8.8CVSS

8.7AI Score

0.002EPSS

2022-10-13 03:15 AM
31
8
cve
cve

CVE-2018-12563

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for file: URLs, a user can force lava-server-gunicorn to download any file from the filesystem if it's readable by lavaserver and valid...

6.5CVSS

6.4AI Score

0.001EPSS

2018-06-19 05:29 AM
22
cve
cve

CVE-2018-12565

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of use of yaml.load() instead of yaml.safe_load() when parsing user data, remote code execution can...

8.8CVSS

8.9AI Score

0.002EPSS

2018-06-19 05:29 AM
42
cve
cve

CVE-2018-12564

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid...

6.5CVSS

6.4AI Score

0.001EPSS

2018-06-19 05:29 AM
44
cve
cve

CVE-2017-14003

An Authentication Bypass by Spoofing issue was discovered in LAVA Ether-Serial Link (ESL) running firmware versions 6.01.00/29.03.2007 and prior versions. An improper authentication vulnerability has been identified, which, if exploited, would allow an attacker with the same IP address to bypass...

9.8CVSS

9.4AI Score

0.002EPSS

2017-10-11 07:29 PM
25