CVE-2024-39289
BaseFortify
Publication date: 2025-07-17
Last updated on: 2025-08-26
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openrobotics | robot_operating_system | indigo_igloo |
| openrobotics | robot_operating_system | kinetic_kame |
| openrobotics | robot_operating_system | melodic_morenia |
| openrobotics | robot_operating_system | noetic_ninjemys |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a code execution flaw in the Robot Operating System (ROS) 'rosparam' tool. It occurs because the tool uses the eval() function to process user-supplied parameter values without proper sanitization, specifically for angle representations in radians. This allows attackers to craft input that executes arbitrary Python code.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary Python code on the affected system, potentially leading to full compromise of the system's confidentiality, integrity, and availability.