Insecure Permissions vulnerability in ROS2 navigation2 allows arbitrary code execution
CVE-2024-41645

9.8CRITICAL

Key Information:

Vendor: Open Robotics
Status: Robot Operating System
Vendor: CVE Published:; 6 December 2024

🔔 Create Open Robotics Vulnerability Alert

What is CVE-2024-41645?

An insecure permissions vulnerability exists within the Open Robotics Robotic Operating System 2 (ROS2) Navigation2 framework. This flaw allows an attacker to execute arbitrary code through the nav2__amcl component by utilizing specially crafted scripts. Exploitation of this vulnerability can lead to unauthorized access and control over robotic systems relying on incorrect permission configurations, necessitating immediate attention and remediation to ensure operational integrity and security.

References

https://github.com/GoesM/ROS-CVE-CNVDs

https://github.com/ros-navigation/navigation2/issues/4497

https://github.com/ros-navigation/navigation2/pull/4521

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2024