Closed rvd-bot closed 4 years ago
id: 3290 title: 'RVD#3290: Using xml, ./Firmware/src/modules/systemlib/param/px_generate_params.py:21' type: bug description: HIGH confidence of MEDIUM severity bug. Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called ./Firmware/src/modules/systemlib/param/px_generate_params.py:21. See links for more info on the bug. cwe: None cve: None keywords: - bandit - bug - static analysis - testing - triage - bug - 'version: v1.7.0' - 'robot component: PX4' - components software system: '' vendor: null severity: rvss-score: 0 rvss-vector: '' severity-description: '' cvss-score: 0 cvss-vector: '' links: - https://github.com/aliasrobotics/RVD/issues/3290 - https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree flaw: phase: testing specificity: subject-specific architectural-location: application-specific application: N/A subsystem: N/A package: N/A languages: None date-detected: 2020-06-30 (10:46) detected-by: Alias Robotics detected-by-method: testing static date-reported: 2020-06-30 (10:46) reported-by: Alias Robotics reported-by-relationship: automatic issue: https://github.com/aliasrobotics/RVD/issues/3290 reproducibility: always trace: ./Firmware/src/modules/systemlib/param/px_generate_params.py:21 reproduction: See artifacts below (if available) reproduction-image: '' exploitation: description: '' exploitation-image: '' exploitation-vector: '' exploitation-recipe: '' mitigation: description: '' pull-request: '' date-mitigation: ''
rvd-bot
commented
4 years ago rvd-bot
commented
4 years ago