CVE-2018-12565

moderate-risk
Published 2018-06-19

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of use of yaml.load() instead of yaml.safe_load() when parsing user data, remote code execution can occur.

Do I need to act?

~
2.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (2)

Lava

Affected Vendors

Debian Linaro

References (4)

Patch https://git.linaro.org/lava/lava.git/commit/?id=583666c84ea2f12797a3eb71392bcb05...
Third Party Advisory https://www.debian.org/security/2018/dsa-4234
Patch https://git.linaro.org/lava/lava.git/commit/?id=583666c84ea2f12797a3eb71392bcb05...
Third Party Advisory https://www.debian.org/security/2018/dsa-4234
43
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 6/34 · Minimal
Exposure 7/34 · Low