Remote Code Execution in Linaro Automated Validation Architecture (LAVA) through User-Submitted Jinja2 Template

Remote Code Execution in Linaro Automated Validation Architecture (LAVA) through User-Submitted Jinja2 Template

CVE-2022-45132 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.

Learn more about our Cis Benchmark Audit For Server Software.