CVE-2022-45132
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
18/11/2022
Last modified:
30/04/2025
Description
In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:linaro:lava:*:*:*:*:*:*:*:* | 2022.11.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://lists.lavasoftware.org/archives/list/lava-announce%40lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/
- https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
- https://lists.lavasoftware.org/archives/list/lava-announce%40lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/
- https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/