UBUNTU-CVE-2020-10289

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2020-10289

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-10289.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2020-10289

Upstream

CVE-2020-10289

Published

2020-08-20T08:15:00Z

Modified

2026-04-22T12:25:38.886177Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug.

References

Affected packages

Ubuntu:16.04:LTS / ros-actionlib

Package

Name: ros-actionlib
Purl: pkg:deb/ubuntu/ros-actionlib@1.11.4-2?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11.4-1

1.11.4-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cl-actionlib",
            "binary_version": "1.11.4-2"
        },
        {
            "binary_name": "libactionlib0d",
            "binary_version": "1.11.4-2"
        },
        {
            "binary_name": "python-actionlib",
            "binary_version": "1.11.4-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-10289.json"

Ubuntu:18.04:LTS / ros-actionlib

Package

Name: ros-actionlib
Purl: pkg:deb/ubuntu/ros-actionlib@1.11.12-1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11.7-1

1.11.7-1build1

1.11.11-1

1.11.12-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cl-actionlib",
            "binary_version": "1.11.12-1"
        },
        {
            "binary_name": "libactionlib0d",
            "binary_version": "1.11.12-1"
        },
        {
            "binary_name": "python-actionlib",
            "binary_version": "1.11.12-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-10289.json"

Ubuntu:20.04:LTS / ros-actionlib

Package

Name: ros-actionlib
Purl: pkg:deb/ubuntu/ros-actionlib@1.12.0-4ubuntu1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.12.0-1

1.12.0-2

1.12.0-4

1.12.0-4ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cl-actionlib",
            "binary_version": "1.12.0-4ubuntu1"
        },
        {
            "binary_name": "libactionlib0d",
            "binary_version": "1.12.0-4ubuntu1"
        },
        {
            "binary_name": "python3-actionlib",
            "binary_version": "1.12.0-4ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-10289.json"