9.8
CVE-2024-39780
- EPSS 0.74%
- Veröffentlicht 02.04.2025 08:15:13
- Zuletzt bearbeitet 26.08.2025 16:36:48
- Quelle security@ubuntu.com
- CVE-Watchlists
- Unerledigt
LoginA YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openrobotics ≫ Robot Operating System Versionindigo_igloo
Openrobotics ≫ Robot Operating System Versionkinetic_kame
Openrobotics ≫ Robot Operating System Versionmelodic_morenia
Openrobotics ≫ Robot Operating System Versionnoetic_ninjemys
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.74% | 0.723 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security@ubuntu.com | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.