We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-39780

Use of unsafe yaml load in dynparam



Description

A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code. This issue has now been fixed for ROS Noetic via commit 3d93ac13603438323d7e9fa74e879e45c5fe2e8e.

Reserved 2024-08-08 | Published 2025-04-02 | Updated 2025-04-02 | Assigner canonical


HIGH: 8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-502 Deserialization of Untrusted Data

CWE-20 Improper Input Validation

Product status

Default status
unaffected

Noetic Ninjemys before 3d93ac13603438323d7e9fa74e879e45c5fe2e8e
affected

Melodic Morenia
affected

Kinetic Kame
affected

Indigo Igloo
affected

Credits

Florencia Cabral Berenfus, Ubuntu Robotics Team finder

References

github.com/ros/dynamic_reconfigure/pull/202

cve.org (CVE-2024-39780)

nvd.nist.gov (CVE-2024-39780)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-39780

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.