CVE-2022-45132

CRITICAL

Linaro LAVA < 2022.11.1 - Remote Code Execution via Jinja2 Template Injection

Title source: llm

Description

In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/

Various Sources

https://lists.lavasoftware.org/archives/list/lava-announce%40lists.lavasoftware.org/thread/WHXGQMIZAPW3GCQEXYHC32N2ZAAAIYCY/

Scores

CVSS v3 9.8

EPSS 0.0186

EPSS Percentile 76.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

linaro/lava < 2022.11.1

Published Nov 18, 2022

Tracked Since Feb 18, 2026