RVD#3288: Using xmlrpclib to parse untrusted XML data is known to be vulnerable to..., ./Firmware/src/modules/systemlib/param/px4params/dokuwikirpc.py:2

[rvd-bot]

id: 3288
title: 'RVD#3288: Using xmlrpclib to parse untrusted XML data is known to be vulnerable
  to..., ./Firmware/src/modules/systemlib/param/px4params/dokuwikirpc.py:2'
type: bug
description: HIGH confidence of HIGH severity bug. Using xmlrpclib to parse untrusted
  XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch()
  function to monkey-patch xmlrpclib and mitigate XML vulnerabilities. ./Firmware/src/modules/systemlib/param/px4params/dokuwikirpc.py:2.
  See links for more info on the bug.
cwe: None
cve: None
keywords:
- bandit
- bug
- static analysis
- testing
- triage
- bug
- 'version: v1.7.0'
- 'robot component: PX4'
- components software
system: ''
vendor: null
severity:
  rvss-score: 0
  rvss-vector: ''
  severity-description: ''
  cvss-score: 0
  cvss-vector: ''
links:
- https://github.com/aliasrobotics/RVD/issues/3288
- https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b411-import-xmlrpclib
flaw:
  phase: testing
  specificity: subject-specific
  architectural-location: application-specific
  application: N/A
  subsystem: N/A
  package: N/A
  languages: None
  date-detected: 2020-06-30 (10:45)
  detected-by: Alias Robotics
  detected-by-method: testing static
  date-reported: 2020-06-30 (10:45)
  reported-by: Alias Robotics
  reported-by-relationship: automatic
  issue: https://github.com/aliasrobotics/RVD/issues/3288
  reproducibility: always
  trace: ./Firmware/src/modules/systemlib/param/px4params/dokuwikirpc.py:2
  reproduction: See artifacts below (if available)
  reproduction-image: ''
exploitation:
  description: ''
  exploitation-image: ''
  exploitation-vector: ''
  exploitation-recipe: ''
mitigation:
  description: ''
  pull-request: ''
  date-mitigation: ''