CVE-2020-10289
Last modified
CVE-2020-10289 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Use of unsafe yaml load. Allows instantiation of arbitrary objects. EPSS estimates a 1.95% chance of exploitation in the next 30 days.
Description
Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openrobotics | Robot Operating System | All versions |
References
- https://github.com/ros/actionlib/pull/171Patch, Third Party Advisory
- https://github.com/ros/actionlib/pull/171Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-10289?
How severe is CVE-2020-10289?
How do I fix CVE-2020-10289?
Are you affected by CVE-2020-10289?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST