CVE-2018-12564

EPSS 0.33%
Veröffentlicht 19.06.2018 05:29:00
Zuletzt bearbeitet 21.11.2024 03:45:26
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid yaml.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linaro ≫ Lava Version < 2018.5.post1

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.548

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://git.linaro.org/lava/lava.git/commit/?id=95a9a77b144ced24d7425d6544ab03ca7f6c75d3

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2018/06/msg00011.html

Third Party Advisory

https://www.debian.org/security/2018/dsa-4234

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-12564

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-12564

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-12564

EUVD