CVE-2024-39780

Name of the Vulnerable Software and Affected Versions Robot Operating System (ROS) versions Noetic and earlier

Description A YAML deserialization vulnerability was found in the ROS 'dynparam' command-line tool, affecting the ability to get, set, and delete parameters of a dynamically configurable node. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, allowing for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code.

Recommendations For ROS Noetic, update to the version that includes the fix via commit 3d93ac13603438323d7e9fa74e879e45c5fe2e8e. For ROS versions earlier than Noetic, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the yaml.load() function in the 'dynparam' tool until a patch is available. Restrict access to the 'dynparam' tool to minimize the risk of exploitation. Avoid using the 'set' and 'get' verbs in the 'dynparam' tool until the issue is resolved.