← back
CVE-2020-10289

RVD#2401: Use of unsafe yaml load, ./src/actionlib/tools/library.py:132

CVSS 8 HIGHEPSS 1.9%CWE-20
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8EPSS 1.9%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
20 Aug 2020Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug.
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected products
Open Robotics · ros

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →