Lucene search

K

Ubuntu.comUB:CVE-2022-42902

HistoryOct 13, 2022 - 12:00 a.m.

CVE-2022-42902

2022-10-1300:00:00

ubuntu.com

ubuntu.com

18

linaro automated validation architecture

code execution

input sanitization

anonymous user

server compromise

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

57.6%

In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is
dynamic code execution in lava_server/lavatable.py. Due to improper input
sanitization, an anonymous user can force the lava-server-gunicorn service
to execute user-provided code on the server.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021737>

References

git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834

git.lavasoftware.org/lava/lava/-/merge_requests/1834

launchpad.net/bugs/cve/CVE-2022-42902

nvd.nist.gov/vuln/detail/CVE-2022-42902

security-tracker.debian.org/tracker/CVE-2022-42902

www.cve.org/CVERecord?id=CVE-2022-42902

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

57.6%

Related for UB:CVE-2022-42902

osv2 nessus2 debiancve1 prion1 openvas2 nvd1 debian2 cvelist1 veracode1 cve1