Linaro Lava
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Linaro Lava.
By the Year
In 2026 there have been 0 vulnerabilities in Linaro Lava. Lava did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 3 | 8.37 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 3 | 7.27 |
It may take a day or so for new Lava vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Linaro Lava Security Vulnerabilities
LAVA < 2022.11.1 RCE via user-submitted Jinja2 template in lava-server REST API
CVE-2022-45132
9.8 - Critical
- November 18, 2022
In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.
Code Injection
LAVA < 2022.11 XMLRPC Recursive XML Entity Expansion DoS
CVE-2022-44641
6.5 - Medium
- November 18, 2022
In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service.
XEE
Dynamic Code Exec in LAVA < 2022.10 lava_server CVE-2022-42902
CVE-2022-42902
8.8 - High
- October 13, 2022
In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.
An issue was discovered in Linaro LAVA before 2018.5.post1
CVE-2018-12563
6.5 - Medium
- June 19, 2018
An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for file: URLs, a user can force lava-server-gunicorn to download any file from the filesystem if it's readable by lavaserver and valid yaml.
Improper Input Validation
An issue was discovered in Linaro LAVA before 2018.5.post1
CVE-2018-12564
6.5 - Medium
- June 19, 2018
An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid yaml.
Improper Input Validation
An issue was discovered in Linaro LAVA before 2018.5.post1
CVE-2018-12565
8.8 - High
- June 19, 2018
An issue was discovered in Linaro LAVA before 2018.5.post1. Because of use of yaml.load() instead of yaml.safe_load() when parsing user data, remote code execution can occur.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Linaro Lava or by Linaro? Click the Watch button to subscribe.
