CVE-2020-10289 HIGH

CVE-2020-10289: RVD#2401: Use of unsafe yaml load, ./src/actionlib/tools/library.py:132

Vendor Open Robotics

Product ros

Weakness CWE-20 · Input validation

Published August 20, 2020

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug.

Key dates

02Disclosure timeline

August 20, 2020 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-10289 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2020-10289: RVD#2401: Use of unsafe yaml load, ./src/actionlib/tools/library.py:132

01Description

02Disclosure timeline

03References

04Related CVE