CVE-2024-39289

EUVD-2024-54800
A code execution vulnerability has been discovered in the Robot Operating System (ROS) 'rosparam' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
canonicalCNA
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Debian logo
Debian Releases
Debian Product
Codename
ros-ros-comm
bookworm
unimportant
bullseye
unimportant
forky
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ros-ros-comm
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
dne
oracular
dne
plucky
dne
questing
dne
xenial
needs-triage
ros-kinetic-ros-comm
xenial
Fixed 1.12.17+8
released
ros-melodic-ros-comm
bionic
Fixed 1.14.13+4
released
ros-noetic-ros-comm
focal
Fixed 1.17.4+2
released
Common Weakness Enumeration
References
https://www.ros.org/blog/noetic-eol/