RVD#3290: Using xml, ./Firmware/src/modules/systemlib/param/px_generate_params.py:21
rvd-bot opened this issue · 0 comments
rvd-bot commented
id: 3290
title: 'RVD#3290: Using xml, ./Firmware/src/modules/systemlib/param/px_generate_params.py:21'
type: bug
description: HIGH confidence of MEDIUM severity bug. Using xml.etree.ElementTree.parse
to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse
with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib()
is called ./Firmware/src/modules/systemlib/param/px_generate_params.py:21. See links
for more info on the bug.
cwe: None
cve: None
keywords:
- bandit
- bug
- static analysis
- testing
- triage
- bug
- 'version: v1.7.0'
- 'robot component: PX4'
- components software
system: ''
vendor: null
severity:
rvss-score: 0
rvss-vector: ''
severity-description: ''
cvss-score: 0
cvss-vector: ''
links:
- https://github.com/aliasrobotics/RVD/issues/3290
- https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
flaw:
phase: testing
specificity: subject-specific
architectural-location: application-specific
application: N/A
subsystem: N/A
package: N/A
languages: None
date-detected: 2020-06-30 (10:46)
detected-by: Alias Robotics
detected-by-method: testing static
date-reported: 2020-06-30 (10:46)
reported-by: Alias Robotics
reported-by-relationship: automatic
issue: https://github.com/aliasrobotics/RVD/issues/3290
reproducibility: always
trace: ./Firmware/src/modules/systemlib/param/px_generate_params.py:21
reproduction: See artifacts below (if available)
reproduction-image: ''
exploitation:
description: ''
exploitation-image: ''
exploitation-vector: ''
exploitation-recipe: ''
mitigation:
description: ''
pull-request: ''
date-mitigation: ''