Vulnerabilities > CVE-2020-10289 - Deserialization of Untrusted Data vulnerability in Openrobotics Robot Operating System

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

openrobotics

CWE-502

NVD

Published: 2020-08-20

Updated: 2021-12-20

Summary

Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug.

Vulnerable Configurations

Part	Description	Count
OS	Openrobotics Openrobotics Robot Operating System -	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://github.com/ros/actionlib/pull/171