CRITICAL🇵🇱 Wersja polska

CVE-2024-41649

CVSS 9.8v3.1pub. 2024-12-06upd. 2024-12-13

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the executor_thread_.

🤖 AI Analysis
How it works

An attacker can deliver a crafted script directed at the executor_thread_ thread in the navigation2 package of ROS2. Improper permission configuration (CWE-281) allows execution of this script without required authentication or any user interaction. The vulnerability is network-accessible with low attack complexity, making it exceptionally easy to exploit.

Impact

An attacker can remotely execute arbitrary code on the target system, leading to complete loss of confidentiality, integrity, and availability — including potential takeover of control over a robotic system.

Mitigation & patch

Patches available from the vendor should be applied according to the references — pull request no. 4385 is available in the ros-navigation/navigation2 repository on GitHub. It is recommended to monitor releases and update the navigation2 package to a version containing the fix.

Who is affected

Open Robotics Robot Operating System 2 (ROS2), navigation2 package, humble version

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Openrobotics Robot Operating System

    APP
    Openrobotics
    2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-38924CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 humble — zdalny exploit przez nav2_amcl

CVE-2024-38922CRITICAL9.8PL ✓ten sam produkt

Heap overflow w procesie nav2_amcl systemu ROS2 Nav2

CVE-2024-38921CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 — zdalny atak przez parametr /amcl z_rand

CVE-2024-38923CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 humble poprzez proces nav2_amcl

CVE-2024-38925CRITICAL9.8PL ✓ten sam produkt

Use-after-free w ROS2 Nav2 — zdalny atak przez zmianę parametru AMCL