CVE-2022-42902 Information

Description

In Linaro Automated Validation Architecture (LAVA) before 2022.10 there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.

Reference

https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834 https://git.lavasoftware.org/lava/lava/-/merge_requests/1834