Source: lava Version: 2022.10-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for lava. CVE-2022-45132[0]: | In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, | remote code execution can be achieved through user-submitted Jinja2 | template. The REST API endpoint for validating device configuration | files in lava-server loads input as a Jinja2 template in a way that | can be used to trigger remote code execution in the LAVA server. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-45132 https://www.cve.org/CVERecord?id=CVE-2022-45132 [1] https://lists.lavasoftware.org/archives/list/lava-annou...@lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/ [2] https://git.lavasoftware.org/lava/lava/-/commit/ab17e8304f10c7c0fe912067f2ed85a4753241c7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
