{"id":"CVE-2018-12563","details":"An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for file: URLs, a user can force lava-server-gunicorn to download any file from the filesystem if it's readable by lavaserver and valid yaml.","modified":"2026-03-12T22:45:30.782599Z","published":"2018-06-19T05:29:00.497Z","references":[{"type":"FIX","url":"https://git.linaro.org/lava/lava.git/commit/?id=e24ec39599bc07562ad8bc2a581144b8448cb214"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2018.5.post1"}]},{"events":[{"introduced":"0"},{"fixed":"2018.5.post1"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-12563.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}