Attacker Can Execute Arbitrary Code via Dyn_param_handler_ Component in Open Robotics ROS2 Navigation 2
CVE-2024-41644

9.8CRITICAL

Key Information:

Vendor: Open Robotics
Status: Robot Operating System
Vendor: CVE Published:; 6 December 2024

🔔 Create Open Robotics Vulnerability Alert

What is CVE-2024-41644?

A security vulnerability has been identified within the Open Robotics Robotic Operating System 2 Navigation2 framework, specifically affecting the v.humble version. The flaw arises from insecure permissions associated with the dyn_param_handler_ component, enabling unauthorized users to potentially execute arbitrary code. This exposure raises significant concerns over the integrity and security of robotic applications leveraging this operating system. Users and developers are advised to evaluate their deployments and apply necessary mitigations to protect against potential attacks.

References

https://github.com/GoesM/ROS-CVE-CNVDs

https://github.com/ros-navigation/navigation2/issues/4496

https://github.com/ros-navigation/navigation2/pull/4521

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2024