We have recently fixed some serious security issues on LAVA server.
CVE-2022-44641: Recursive XML entity expansion
Users with valid accounts can submit a specially crafted XML document via the XMLRPC that causes a recursive XML entity expansion, consuming large amounts of resources and eventually cause a Denial of Service on the LAVA server.
This problem was found, and the fix provided, by Igor Ponomarev from Collabora. The fix has been released in 2022.11, with the following patch: https://git.lavasoftware.org/lava/lava/-/commit/1bee0f8957741582c2bed800974f...
CVE-2022-45132: Code execution in jinja templates
A specially crafted jinja2 template can be submitted to a publicly accessible REST API endpoint without any authentication and cause a remote command execution as the same user that is running the LAVA server web application.
This problem was found, and the fix provided, by Igor Ponomarev from Collabora. The fix has been released in 2022.11.1, with the following patch: https://git.lavasoftware.org/lava/lava/-/commit/ab17e8304f10c7c0fe912067f2ed...
We strongly recommend that administrators upgrade to the 2022.11.1 release immediately, or failing that, at least apply the patches linked above locally to their lava server.
lava-announce@lists.lavasoftware.org