lava is vulnerable to authentication bypass. The vulnerability exists in lava_server/lavatable.py due to improper input sanitization which allows an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.
git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834
git.lavasoftware.org/lava/lava/-/merge_requests/1834
lists.debian.org/debian-lts-announce/2022/11/msg00019.html
security-tracker.debian.org/tracker/CVE-2022-42902
www.debian.org/security/2022/dsa-5260