Víctor Mayoral Vilches

**Name of the Vulnerable Software and Affected Versions** actionlib (affected versions not specified) **Description** The issue is caused by an unsafe parsing of YAML values in the ROS core package of actionlib, allowing the instantiation of arbitrary objects. This occurs when an action message is processed to be sent, enabling the creation of Python objects. An attacker with local or remote access can exploit this flaw to execute arbitrary code in Python form on the ROS Master. **Recommendations** Consider using `yaml.safe load()` instead of the unsafe load method to prevent the instantiation of arbitrary objects. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Universal Robots control box CB 3.1 versions 1.10 through 1.12.1 **Description** The issue concerns the lack of encryption or protection for intellectual property artifacts installed from the UR+ platform, specifically URCaps files. These files, stored as plain zip files under '/root/.urcaps', contain logic to add functionality to UR3, UR5, and UR10 robots. An attacker with access to the robot or its network could exploit this, in combination with other flaws, to retrieve and exfiltrate installed intellectual property. **Recommendations** For Universal Robots control box CB 3.1 versions 1.10 through 1.12.1, consider restricting access to the '/root/.urcaps' directory to minimize the risk of exploitation. As a temporary workaround, limit network access to the robot to reduce the potential for attackers to retrieve URCaps files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SROS 2 version 0.8.1 **Description** The issue is related to a leaky default configuration, as indicated in the policy/defaults/dds/governance.xml document, which causes SROS 2 to leak node information. This leak is due to the default configuration used by SROS 2, which provides tools for generating and distributing keys for Robot Operating System 2 and utilizes the underlying security plugins of DDS from ROS 2. **Recommendations** For SROS 2 version 0.8.1, review and adjust the configuration settings in the policy/defaults/dds/governance.xml document to prevent node information leaks. Consider modifying the default configuration to enhance security and restrict unnecessary information disclosure.