First published: Fri Nov 18 2022(Updated: )
In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Linaro LAVA | <2022.11.1 | |
debian/lava | 2019.01-5 2019.01-5+deb10u2 2020.12-5+deb11u2 2023.01-2 | |
<2022.11.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-45132 is a vulnerability in Linaro Automated Validation Architecture (LAVA) that allows remote code execution through a user-submitted Jinja2 template.
CVE-2022-45132 can be exploited by submitting a malicious Jinja2 template through the REST API endpoint for validating device configuration files in LAVA.
CVE-2022-45132 has a severity rating of 9.8 (Critical).
Linaro LAVA versions before 2022.11.1 and Debian package versions 2019.01-5, 2019.01-5+deb10u2, 2020.12-5+deb11u2, and 2023.01-2 are affected by CVE-2022-45132.
To fix CVE-2022-45132, update Linaro LAVA to version 2022.11.1 or later, and Debian package lava to the recommended versions: 2019.01-5, 2019.01-5+deb10u2, 2020.12-5+deb11u2, or 2023.01-2.