aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
176 stars 31 forks source link

RVD#1999: Using xml, /opt/ros_noetic_ws/src/xacro/src/xacro/__init__.py:846 #1999

Closed rvd-bot closed 4 years ago

rvd-bot commented 4 years ago
{
    "id": 1999,
    "title": "RVD#1999: Using xml, /opt/ros_noetic_ws/src/xacro/src/xacro/__init__.py:846",
    "type": "bug",
    "description": "HIGH confidence of MEDIUM severity bug. Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called at /opt/ros_noetic_ws/src/xacro/src/xacro/__init__.py:846 See links for more info on the bug.",
    "cwe": "None",
    "cve": "None",
    "keywords": [
        "bandit",
        "bug",
        "static analysis",
        "testing",
        "triage",
        "bug"
    ],
    "system": "",
    "vendor": null,
    "severity": {
        "rvss-score": 0,
        "rvss-vector": "",
        "severity-description": "",
        "cvss-score": 0,
        "cvss-vector": ""
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/1999",
        "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-minidom"
    ],
    "flaw": {
        "phase": "testing",
        "specificity": "subject-specific",
        "architectural-location": "application-specific",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2020-05-29 (08:48)",
        "detected-by": "Alias Robotics",
        "detected-by-method": "testing static",
        "date-reported": "2020-05-29 (08:48)",
        "reported-by": "Alias Robotics",
        "reported-by-relationship": "automatic",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1999",
        "reproducibility": "always",
        "trace": "/opt/ros_noetic_ws/src/xacro/src/xacro/__init__.py:846",
        "reproduction": "See artifacts below (if available)",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": ""
    }
}
ibaiape commented 4 years ago

minidom is vulnerable to billion laughs and quadratic blowup DoS attacks

CWE-776