CVE-2023-24010

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-24010

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-24010.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-24010

Downstream

DEBIAN-CVE-2023-24010

UBUNTU-CVE-2023-24010

Published

2025-01-09T15:15:11Z

Modified

2025-08-09T20:01:25Z

Summary

[none]

Details

An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

References

https://github.com/ros2/sros2/issues/282
https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d

CVE-2023-24010

Affected packages