CVE-2024-39289

A code execution vulnerability has been discovered in the Robot Operating System (ROS) 'rosparam' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.ros.org/blog/noetic-eol/	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:openrobotics:robot_operating_system:indigo_igloo:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:kinetic_kame:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:melodic_morenia:::::::*
	cpe:2.3:o:openrobotics:robot_operating_system:noetic_ninjemys:::::::*

History

No history.

Information

Published : 2025-07-17 20:15

Updated : 2025-08-26 17:51

NVD link : CVE-2024-39289

Mitre link : CVE-2024-39289

CVE.ORG link : CVE-2024-39289

JSON object : View

Products Affected

openrobotics

robot_operating_system

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

{"id": "CVE-2024-39289", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-07-17T20:15:27.230", "references": [{"url": "https://www.ros.org/blog/noetic-eol/", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-95"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "A code execution vulnerability has been discovered in the Robot Operating System (ROS) 'rosparam' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo en la herramienta 'rosparam' del Robot Operating System (ROS), que afecta a las distribuciones de ROS Noetic Ninjemys y anteriores. La vulnerabilidad se debe al uso de la funci\u00f3n eval() para procesar valores de par\u00e1metros no depurados, proporcionados por el usuario, mediante convertidores especiales para representaciones de \u00e1ngulos en radianes. Esta falla permit\u00eda a los atacantes manipular y ejecutar c\u00f3digo Python arbitrario."}], "lastModified": "2025-08-26T17:51:50.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:openrobotics:robot_operating_system:indigo_igloo:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0673568E-BE13-4D10-9E7B-57B6D38850B7"}, {"criteria": "cpe:2.3:o:openrobotics:robot_operating_system:kinetic_kame:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "429E39E2-7812-44F3-B3DB-D82561432B88"}, {"criteria": "cpe:2.3:o:openrobotics:robot_operating_system:melodic_morenia:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C319FA37-A18B-4706-9B29-827BA81CB5B8"}, {"criteria": "cpe:2.3:o:openrobotics:robot_operating_system:noetic_ninjemys:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F466D1C-796D-4857-BEDF-FA600DF47669"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}