OSRF ROS Indigo Igloo/Kinetic Kame/Melodic Morenia dynparam yaml.load deserialization
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.6 | $0-$5k | 0.00 |
Summary
A vulnerability was found in OSRF ROS Indigo Igloo/Kinetic Kame/Melodic Morenia and classified as critical. This affects the function yaml.load of the component dynparam. Executing a manipulation can lead to deserialization.
This vulnerability is tracked as CVE-2024-39780. The attack is restricted to local execution. No exploit exists.
Applying a patch is advised to resolve this issue.
Details
A vulnerability was found in OSRF ROS Indigo Igloo/Kinetic Kame/Melodic Morenia. It has been declared as critical. This vulnerability affects the function yaml.load of the component dynparam. The manipulation with an unknown input leads to a deserialization vulnerability. The CWE definition for the vulnerability is CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code. This issue has now been fixed for ROS Noetic via commit 3d93ac13603438323d7e9fa74e879e45c5fe2e8e.
The weakness was disclosed by Florencia Cabral Berenfus with Ubuntu Robotics Team. The advisory is shared for download at github.com. This vulnerability was named CVE-2024-39780 since 08/08/2024. The exploitation appears to be easy. The attack needs to be approached locally. There are known technical details, but no exploit is available.
Applying a patch is able to eliminate this problem.
The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2024-54360). VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.8VulDB Meta Temp Score: 7.6
VulDB Base Score: 7.8
VulDB Temp Score: 7.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 7.8
CNA Vector (canonical): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: DeserializationCWE: CWE-502 / CWE-20
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Timeline
08/08/2024 🔍04/02/2025 🔍
04/02/2025 🔍
06/18/2025 🔍
Sources
Advisory: github.comResearcher: Florencia Cabral Berenfus
Organization: Ubuntu Robotics Team
Status: Confirmed
CVE: CVE-2024-39780 (🔍)
GCVE (CVE): GCVE-0-2024-39780
GCVE (VulDB): GCVE-100-302992
EUVD: 🔍
Entry
Created: 04/02/2025 11:25Updated: 06/18/2025 16:17
Changes: 04/02/2025 11:25 (65), 06/18/2025 13:22 (5), 06/18/2025 16:17 (1)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.