CVE-2024-39289

NameCVE-2024-39289
DescriptionA code execution vulnerability has been discovered in the Robot Operating System (ROS) 'rosparam' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1110773

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ros-ros-comm (PTS)bullseye1.15.9+ds1-7+deb11u1vulnerable
bookworm1.15.15+ds-2vulnerable
forky, trixie1.17.0+ds-2vulnerable
sid1.17.4+ds-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ros-ros-commsource(unstable)(unfixed)unimportant1110773

Notes

Bogus report, all input to eval comes from trusted input
Search for package or bug name: Reporting problems