search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
179 stars 31 forks source link

RVD#2038: Using xml., /opt/ros_noetic_ws/src/ros/roslib/src/roslib/manifestlib.py:552 #2038

Closed rvd-bot closed 4 years ago

rvd-bot commented 4 years ago 
{
    "id": 2038,
    "title": "RVD#2038: Using xml., /opt/ros_noetic_ws/src/ros/roslib/src/roslib/manifestlib.py:552",
    "type": "bug",
    "description": "HIGH confidence of MEDIUM severity bug. Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called at /opt/ros_noetic_ws/src/ros/roslib/src/roslib/manifestlib.py:552 See links for more info on the bug.",
    "cwe": "None",
    "cve": "None",
    "keywords": [
        "bandit",
        "bug",
        "static analysis",
        "testing",
        "triage",
        "bug"
    ],
    "system": "",
    "vendor": null,
    "severity": {
        "rvss-score": 0,
        "rvss-vector": "",
        "severity-description": "",
        "cvss-score": 0,
        "cvss-vector": ""
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/2038",
        "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-minidom"
    ],
    "flaw": {
        "phase": "testing",
        "specificity": "subject-specific",
        "architectural-location": "application-specific",
        "application": "N/A",
        "subsystem": "N/A",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2020-05-29 (09:21)",
        "detected-by": "Alias Robotics",
        "detected-by-method": "testing static",
        "date-reported": "2020-05-29 (09:21)",
        "reported-by": "Alias Robotics",
        "reported-by-relationship": "automatic",
        "issue": "https://github.com/aliasrobotics/RVD/issues/2038",
        "reproducibility": "always",
        "trace": "/opt/ros_noetic_ws/src/ros/roslib/src/roslib/manifestlib.py:552",
        "reproduction": "See artifacts below (if available)",
        "reproduction-image": ""
    },
    "exploitation": {
        "description": "",
        "exploitation-image": "",
        "exploitation-vector": ""
    },
    "mitigation": {
        "description": "",
        "pull-request": "",
        "date-mitigation": ""
    }
}
ibaiape commented 4 years ago

Duplicate of #1931