Debian DLA-3276-1 : lava – LTS security update
Discription

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3276 advisory.

– In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service. (CVE-2022-44641)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.Read More

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024429https://security-tracker.debian.org/tracker/source-package/lavahttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44641https://security-tracker.debian.org/tracker/CVE-2022-44641https://www.debian.org/lts/security/2023/dla-3276https://packages.debian.org/source/buster/lava

6.5 Medium

CVSS3

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Scope
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • Low
  • None
  • Unchanged
  • None
  • None
  • High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Back to Main
Subscribe for the latest news: