Search criteria
30 vulnerabilities by eprosima
CVE-2025-64438 (GCVE-0-2025-64438)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:32 – Updated: 2026-02-03 20:30
VLAI?
Title
Fast-DDS: Unbounded GAP range triggers OOM DoS under RELIABLE QoS
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast
-DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList
.base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s
equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination.
No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS
limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t
he issue.
Severity ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:30:43.758529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:30:50.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a\u0026nbsp;remotely triggerable Out-of-Memory (OOM) denial-of-service exists\n in Fast-DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (\n`gapList.base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts milli\nons of sequence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termi\nnation. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without\n an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11\n patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast\n-DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList\n.base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s\nequence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. \nNo authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS \nlimit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t\nhe issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:32:22.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-64438"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/0b0cb308eaeeb2175694aa0a0a723106824ce9a7"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/71da01b4aea4d937558984f2cf0089f5ba3c871f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/8ca016134dac20b6e30e42b7b73466ef7cdbc213"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Fast-DDS: Unbounded GAP range triggers OOM DoS under RELIABLE QoS",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64438",
"datePublished": "2026-02-03T19:32:22.265Z",
"dateReserved": "2025-11-03T22:12:51.366Z",
"dateUpdated": "2026-02-03T20:30:50.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64098 (GCVE-0-2025-64098)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:29 – Updated: 2026-02-03 20:36
VLAI?
Title
FastDDS has Out-of-memory in readOctetVector via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta
mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector
::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3
.3.1, and 2.6.11 patch the issue.
Severity ?
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:36:36.571960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:36:46.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\u0026n\nbsp;If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specifical\nly by tampering with the the `vecsize` value read by `readOctetVector` \u2014 a 32-bit integer overflow can occur, causing `std\n::vector::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions \n3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specifically by ta\nmpering with the the `vecsize` value read by `readOctetVector` \u2014 a 32-bit integer overflow can occur, causing `std::vector\n::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3\n.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:29:09.168Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-64098"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has Out-of-memory in readOctetVector via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64098",
"datePublished": "2026-02-03T19:29:09.168Z",
"dateReserved": "2025-10-27T15:26:14.126Z",
"dateUpdated": "2026-02-03T20:36:46.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62799 (GCVE-0-2025-62799)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:26 – Updated: 2026-02-03 20:40
VLAI?
Title
FastDDS's heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un
authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft
ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write
s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (
RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62799",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:40:27.383841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:40:35.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An\n unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are cr\nafted to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code wr\nites past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruptio\nn (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:26:22.397Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62799"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS\u0027s heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62799",
"datePublished": "2026-02-03T19:26:22.397Z",
"dateReserved": "2025-10-22T18:55:48.012Z",
"dateUpdated": "2026-02-03T20:40:35.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62603 (GCVE-0-2025-62603)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:23 – Updated: 2026-02-03 20:44
VLAI?
Title
FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on
going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token
delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i
.e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed
sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),
string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat
es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s
o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,
delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n
umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal
header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi
ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p
atch the issue.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:44:04.457672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:44:12.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also\n ongoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and tok\nen delivery for newly appearing endpoints.\u0026nbsp;On receive, the CDR parser is invoked first and deserializes the `message_\ndata` (i.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path.\u0026nbsp;The `DataHolderSe\nq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-\nDH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector).\u0026nbsp\n;The parser operates at a stateless level and does not know higher-layer state (for example, whether the handshake has alr\neady completed), so it fully unfolds the structure before distinguishing legitimate from malformed traffic.\u0026nbsp;Because R\nTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check \nidentity and sequence numbers before discarding or processing a message; the current implementation, however, does not \"p\neek\" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1,\n and 2.6.11, this parsing behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4\n.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path. The `DataHolderSeq` is parsed \nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\numbers before discarding or processing a message; the current implementation, however, does not \"peek\" only at a minimal\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\natch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:23:38.191Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62603"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62603",
"datePublished": "2026-02-03T19:23:38.191Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-03T20:44:12.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62602 (GCVE-0-2025-62602)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:20 – Updated: 2026-02-03 20:54
VLAI?
Title
FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields
of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector`
reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro
lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca
tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination.
Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:53:59.924429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:54:07.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS.\u0026nbsp;If the\n fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOcte\ntVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacke\nr-controlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause larg\ne allocation attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termi\nnation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:20:55.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62602"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62602",
"datePublished": "2026-02-03T19:20:55.963Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-03T20:54:07.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62601 (GCVE-0-2025-62601)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:16 – Updated: 2026-02-03 21:11
VLAI?
Title
FastDDS has heap buffer overflow in readString via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields
of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage — specifically by tampering with the `str_size`
value read by `readString` (called from `readBinaryProperty`) — are modified, a 32-bit integer overflow can occur, causing
`std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term
ination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T21:10:54.517766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T21:11:05.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fiel\nds of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage \u2014 specifically by tampering with the `str_siz\ne` value read by `readString` (called from `readBinaryProperty`) \u2014 are modified, a 32-bit integer overflow can occur, caus\ning `std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process t\nermination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage \u2014 specifically by tampering with the `str_size` \nvalue read by `readString` (called from `readBinaryProperty`) \u2014 are modified, a 32-bit integer overflow can occur, causing\n `std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term\nination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:16:20.692Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62601"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has heap buffer overflow in readString via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62601",
"datePublished": "2026-02-03T19:16:20.692Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-03T21:11:05.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62600 (GCVE-0-2025-62600)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:11 – Updated: 2026-02-03 19:48
VLAI?
Title
FastDDS has Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length
field in readBinaryPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation.
Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T19:48:02.906797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:48:12.163Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\u0026n\nbsp;If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with th\ne length field in readBinaryPropertySeq \u2014 are modified, an integer overflow occurs, leading to an OOM during the resize op\neration. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the length\n field in readBinaryPropertySeq \u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation.\n Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:11:19.429Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62600"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62600",
"datePublished": "2026-02-03T19:11:19.429Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-03T19:48:12.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62599 (GCVE-0-2025-62599)
Vulnerability from cvelistv5 – Published: 2026-02-03 17:54 – Updated: 2026-02-04 16:51
VLAI?
Title
FastDDS has Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length
field in readPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versi
ons 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:25.679617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:30.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. I\nf the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the len\ngth field in readPropertySeq \u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation. Ve\nrsions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the length\n field in readPropertySeq \u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versi\nons 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T17:54:49.511Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62599"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62599",
"datePublished": "2026-02-03T17:54:49.511Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-04T16:51:30.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67108 (GCVE-0-2025-67108)
Vulnerability from cvelistv5 – Published: 2025-12-23 00:00 – Updated: 2025-12-23 15:48
VLAI?
Summary
eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections.
Severity ?
10 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-67108",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-23T15:46:57.199108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-298",
"description": "CWE-298 Improper Validation of Certificate Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-370",
"description": "CWE-370 Missing Check for Certificate Revocation after Initial Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T15:48:27.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T15:22:23.705Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://eprosima.com"
},
{
"url": "http://fast-dds.com"
},
{
"url": "https://github.com/eProsima/Fast-DDS/blob/master/src/cpp/security/accesscontrol/Permissions.cpp#L263"
},
{
"url": "https://gist.github.com/lkloliver/81b5d5a8328d712dbfd497bf11dbe913"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67108",
"datePublished": "2025-12-23T00:00:00.000Z",
"dateReserved": "2025-12-08T00:00:00.000Z",
"dateUpdated": "2025-12-23T15:48:27.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65865 (GCVE-0-2025-65865)
Vulnerability from cvelistv5 – Published: 2025-12-23 00:00 – Updated: 2025-12-23 16:05
VLAI?
Summary
An integer overflow in eProsima Fast-DDS v3.3 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65865",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-23T16:03:18.896476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T16:05:06.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An integer overflow in eProsima Fast-DDS v3.3 allows attackers to cause a Denial of Service (DoS) via a crafted input."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T15:44:51.749Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://eprosima.com"
},
{
"url": "http://fast-dds.com"
},
{
"url": "https://github.com/lkloliver/poc/blob/main/Detail.md"
},
{
"url": "https://gist.github.com/lkloliver/7aa48cb9fc7a1dd74cb595212bb69d33"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-65865",
"datePublished": "2025-12-23T00:00:00.000Z",
"dateReserved": "2025-11-18T00:00:00.000Z",
"dateUpdated": "2025-12-23T16:05:06.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-63829 (GCVE-0-2025-63829)
Vulnerability from cvelistv5 – Published: 2025-11-18 00:00 – Updated: 2025-11-18 17:12
VLAI?
Summary
eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability caused by integer overflow in the Time_t:: fraction() function.
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-63829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T17:12:23.141462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T17:12:46.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability caused by integer overflow in the Time_t:: fraction() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:18:44.816Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/eProsima/Fast-DDS/blob/master/src/cpp/fastdds/core/Time_t.cpp#L67"
},
{
"url": "https://gist.github.com/lkloliver/b00377bec754d4aa1dc731be210d5889"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-63829",
"datePublished": "2025-11-18T00:00:00.000Z",
"dateReserved": "2025-10-27T00:00:00.000Z",
"dateUpdated": "2025-11-18T17:12:46.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24807 (GCVE-0-2025-24807)
Vulnerability from cvelistv5 – Published: 2025-02-11 15:31 – Updated: 2025-02-11 16:12
VLAI?
Title
Fast DDS does not verify Permissions CA
Summary
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired PermissionsCA and having the system crash when PermissionsCA is not self-signed and contains the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue.
Severity ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T16:12:29.982265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T16:12:41.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.10"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.10.7"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.14.5"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.2"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired PermissionsCA and having the system crash when PermissionsCA is not self-signed and contains the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:31:50.337Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-w33g-jmm2-8983",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-w33g-jmm2-8983"
},
{
"name": "https://github.com/eProsima/Fast-DDS/pull/5530",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/pull/5530"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L390-L396",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L390-L396"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L412",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L412"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/authentication/PKIDH.cpp#L241",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/authentication/PKIDH.cpp#L241"
},
{
"name": "https://www.omg.org/spec/DDS-SECURITY/1.1/PDF",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.omg.org/spec/DDS-SECURITY/1.1/PDF"
}
],
"source": {
"advisory": "GHSA-w33g-jmm2-8983",
"discovery": "UNKNOWN"
},
"title": "Fast DDS does not verify Permissions CA"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24807",
"datePublished": "2025-02-11T15:31:50.337Z",
"dateReserved": "2025-01-23T17:11:35.840Z",
"dateUpdated": "2025-02-11T16:12:41.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24010 (GCVE-0-2023-24010)
Vulnerability from cvelistv5 – Published: 2025-01-09 14:36 – Updated: 2025-01-09 20:05
VLAI?
Title
Data Distribution Service (DDS) Chain of Trust (CoT) violation in Fast DDS
Summary
An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.
Severity ?
8.2 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Credits
amrc-benmorrow
Gianluca Caizza
Ruffin White
Victor Mayoral Vilches
Mikael Arguedas
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24010",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T15:29:56.704739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T15:30:17.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "sros2",
"product": "DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "amrc-benmorrow"
},
{
"lang": "en",
"type": "finder",
"value": "Gianluca Caizza"
},
{
"lang": "en",
"type": "finder",
"value": "Ruffin White"
},
{
"lang": "en",
"type": "finder",
"value": "Victor Mayoral Vilches"
},
{
"lang": "en",
"type": "finder",
"value": "Mikael Arguedas"
}
],
"datePublic": "2023-02-25T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures."
}
],
"value": "An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate\u2019s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T20:05:48.421277Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://github.com/ros2/sros2/issues/282"
},
{
"url": "https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer\u0027s certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer\u0027s certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer\u0027s certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer\u0027s certificates."
}
],
"value": "Instead of including the Permission CA into the store of trusted certificates to use for chain verification, the Permission CA (and only the Permission CA) should be included in the set of certificates in which to search for signer\u0027s certificates. The store of trusted certificates to use for chain verification should then also be set to null. 2) With the store of trusted certificates to use for chain verification set to null, the PKCS7_NOVERIFY flag should then be enabled so any signer\u0027s certificates (i.e. only the Permission CA) is not chain verified. 3) Given that only a valid signer\u0027s certificate must be the Permission CA, the PKCS7_NOINTERN flag should then be enabled so any set of certificates in the message itself are not searched when locating the signer\u0027s certificates."
}
],
"source": {
"advisory": "RVD#3345",
"discovery": "EXTERNAL"
},
"title": "Data Distribution Service (DDS) Chain of Trust (CoT) violation in Fast DDS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2023-24010",
"datePublished": "2025-01-09T14:36:05.972Z",
"dateReserved": "2023-01-20T12:00:57.059Z",
"dateUpdated": "2025-01-09T20:05:48.421277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30259 (GCVE-0-2024-30259)
Vulnerability from cvelistv5 – Published: 2024-05-13 14:45 – Updated: 2024-08-02 01:32
VLAI?
Title
FastDDS heap buffer overflow when publisher sends malformed packet
Summary
FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves malformed `RTPS` packet, heap buffer overflow occurs on the subscriber. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.
Severity ?
8.2 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"lessThan": "2.6.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:2.10.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"lessThan": "2.10.4",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:2.13.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"lessThan": "2.13.5",
"status": "affected",
"version": "2.13.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:2.14.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"status": "affected",
"version": "2.14.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30259",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T19:24:09.926583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T18:16:26.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:05.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-qcj9-939p-p662",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-qcj9-939p-p662"
},
{
"name": "https://drive.google.com/file/d/1Y2bGvP3UIOJCLh_XEURLdhrM2Sznlvlp/view?usp=sharing",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/file/d/1Y2bGvP3UIOJCLh_XEURLdhrM2Sznlvlp/view?usp=sharing"
},
{
"name": "https://vimeo.com/907641887?share=copy",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vimeo.com/907641887?share=copy"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "= 2.14.0"
},
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.5"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.4"
},
{
"status": "affected",
"version": "\u003c 2.6.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves malformed `RTPS` packet, heap buffer overflow occurs on the subscriber. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T14:45:28.134Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-qcj9-939p-p662",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-qcj9-939p-p662"
},
{
"name": "https://drive.google.com/file/d/1Y2bGvP3UIOJCLh_XEURLdhrM2Sznlvlp/view?usp=sharing",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1Y2bGvP3UIOJCLh_XEURLdhrM2Sznlvlp/view?usp=sharing"
},
{
"name": "https://vimeo.com/907641887?share=copy",
"tags": [
"x_refsource_MISC"
],
"url": "https://vimeo.com/907641887?share=copy"
}
],
"source": {
"advisory": "GHSA-qcj9-939p-p662",
"discovery": "UNKNOWN"
},
"title": "FastDDS heap buffer overflow when publisher sends malformed packet"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-30259",
"datePublished": "2024-05-13T14:45:28.134Z",
"dateReserved": "2024-03-26T12:52:00.934Z",
"dateUpdated": "2024-08-02T01:32:05.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30258 (GCVE-0-2024-30258)
Vulnerability from cvelistv5 – Published: 2024-05-13 14:41 – Updated: 2024-08-02 01:32
VLAI?
Title
FastDDS crash when publisher send malformed packet
Summary
FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves a malformed `RTPS` packet, the subscriber crashes when creating `pthread`. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.
Severity ?
8.2 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30258",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T19:52:29.397980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:39:13.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:05.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-53xw-465j-rxfh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-53xw-465j-rxfh"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/65236f93e9c4ea3ff9a49fba4dfd9e43eb94037b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/65236f93e9c4ea3ff9a49fba4dfd9e43eb94037b"
},
{
"name": "https://drive.google.com/file/d/19W5UC52hPnAqVq_boZWO45d1TJ4WoCSh/view?usp=sharing",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/file/d/19W5UC52hPnAqVq_boZWO45d1TJ4WoCSh/view?usp=sharing"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "= 2.14.0"
},
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.5"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.4"
},
{
"status": "affected",
"version": "\u003c 2.6.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves a malformed `RTPS` packet, the subscriber crashes when creating `pthread`. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T14:41:52.318Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-53xw-465j-rxfh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-53xw-465j-rxfh"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/65236f93e9c4ea3ff9a49fba4dfd9e43eb94037b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/65236f93e9c4ea3ff9a49fba4dfd9e43eb94037b"
},
{
"name": "https://drive.google.com/file/d/19W5UC52hPnAqVq_boZWO45d1TJ4WoCSh/view?usp=sharing",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/19W5UC52hPnAqVq_boZWO45d1TJ4WoCSh/view?usp=sharing"
}
],
"source": {
"advisory": "GHSA-53xw-465j-rxfh",
"discovery": "UNKNOWN"
},
"title": "FastDDS crash when publisher send malformed packet"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-30258",
"datePublished": "2024-05-13T14:41:52.318Z",
"dateReserved": "2024-03-26T12:52:00.934Z",
"dateUpdated": "2024-08-02T01:32:05.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30917 (GCVE-0-2024-30917)
Vulnerability from cvelistv5 – Published: 2024-04-11 00:00 – Updated: 2024-08-02 01:39
VLAI?
Summary
An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted history_depth parameter in DurabilityService QoS component.
Severity ?
5.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:2.14.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"status": "affected",
"version": "2.14.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30917",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T17:44:00.988478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-229",
"description": "CWE-229 Improper Handling of Values",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T17:51:14.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:39:00.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/issues/4609"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted history_depth parameter in DurabilityService QoS component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-11T05:22:48.355729",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/eProsima/Fast-DDS/issues/4609"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-30917",
"datePublished": "2024-04-11T00:00:00",
"dateReserved": "2024-03-27T00:00:00",
"dateUpdated": "2024-08-02T01:39:00.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30916 (GCVE-0-2024-30916)
Vulnerability from cvelistv5 – Published: 2024-04-11 00:00 – Updated: 2025-02-10 22:45
VLAI?
Summary
An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted max_samples parameter in DurabilityService QoS component.
Severity ?
4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:39:00.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/issues/4609"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30916",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T20:20:33.744192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:45:11.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted max_samples parameter in DurabilityService QoS component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-11T05:22:46.573Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/eProsima/Fast-DDS/issues/4609"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-30916",
"datePublished": "2024-04-11T00:00:00.000Z",
"dateReserved": "2024-03-27T00:00:00.000Z",
"dateUpdated": "2025-02-10T22:45:11.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28231 (GCVE-0-2024-28231)
Vulnerability from cvelistv5 – Published: 2024-03-20 20:03 – Updated: 2024-08-02 00:48
VLAI?
Title
Manipulated DATA Submessage causes a heap-buffer-overflow error
Summary
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8, manipulated DATA Submessage can cause a heap overflow error in the Fast-DDS process, causing the process to be terminated remotely. Additionally, the payload_size in the DATA Submessage packet is declared as uint32_t. When a negative number, such as -1, is input into this variable, it results in an Integer Overflow (for example, -1 gets converted to 0xFFFFFFFF). This eventually leads to a heap-buffer-overflow, causing the program to terminate. Versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8 contain a fix for this issue.
Severity ?
9.7 (Critical)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"lessThan": "2.6.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:2.7.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"lessThan": "2.10.4",
"status": "affected",
"version": "2.7.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:2.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"lessThan": "2.12.2",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:2.13.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"lessThan": "2.13.4",
"status": "affected",
"version": "2.13.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28231",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T18:04:46.844368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T18:12:42.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/355706386f4af9ce74125eeec3c449b06113112b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/355706386f4af9ce74125eeec3c449b06113112b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.8"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.10.4"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.12.2"
},
{
"status": "affected",
"version": "\u003e= 2.13.0, \u003c 2.13.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8, manipulated DATA Submessage can cause a heap overflow error in the Fast-DDS process, causing the process to be terminated remotely. Additionally, the payload_size in the DATA Submessage packet is declared as uint32_t. When a negative number, such as -1, is input into this variable, it results in an Integer Overflow (for example, -1 gets converted to 0xFFFFFFFF). This eventually leads to a heap-buffer-overflow, causing the program to terminate. Versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-20T20:03:18.402Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/355706386f4af9ce74125eeec3c449b06113112b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/355706386f4af9ce74125eeec3c449b06113112b"
}
],
"source": {
"advisory": "GHSA-9m2j-qw67-ph4w",
"discovery": "UNKNOWN"
},
"title": "Manipulated DATA Submessage causes a heap-buffer-overflow error"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28231",
"datePublished": "2024-03-20T20:03:18.402Z",
"dateReserved": "2024-03-07T14:33:30.034Z",
"dateUpdated": "2024-08-02T00:48:49.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50716 (GCVE-0-2023-50716)
Vulnerability from cvelistv5 – Published: 2024-03-06 17:23 – Updated: 2024-08-02 22:16
VLAI?
Title
Invalid DATA_FRAG Submessage causes a bad-free error
Summary
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely terminated. If an invalid Data_Frag packet is sent, the `Inline_qos, SerializedPayload` member of object `ch` will attempt to release memory without initialization, resulting in a 'bad-free' error. Versions 2.13.0, 2.12.2, 2.11.3, 2.10.2, and 2.6.7 fix this issue.
Severity ?
9.7 (Critical)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T19:52:53.644084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:09.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.2"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.3"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.3"
},
{
"status": "affected",
"version": "\u003c 2.6.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely terminated. If an invalid Data_Frag packet is sent, the `Inline_qos, SerializedPayload` member of object `ch` will attempt to release memory without initialization, resulting in a \u0027bad-free\u0027 error. Versions 2.13.0, 2.12.2, 2.11.3, 2.10.2, and 2.6.7 fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T17:23:55.916Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h"
}
],
"source": {
"advisory": "GHSA-5m2f-hvj2-cx2h",
"discovery": "UNKNOWN"
},
"title": "Invalid DATA_FRAG Submessage causes a bad-free error"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50716",
"datePublished": "2024-03-06T17:23:55.916Z",
"dateReserved": "2023-12-11T17:53:36.029Z",
"dateUpdated": "2024-08-02T22:16:47.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50257 (GCVE-0-2023-50257)
Vulnerability from cvelistv5 – Published: 2024-02-19 19:22 – Updated: 2024-08-14 13:54
VLAI?
Title
Disconnect Vulnerability in RTPS Packets Used by SROS2
Summary
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Even with the application of SROS2, due to the issue where the data (`p[UD]`) and `guid` values used to disconnect between nodes are not encrypted, a vulnerability has been discovered where a malicious attacker can forcibly disconnect a Subscriber and can deny a Subscriber attempting to connect. Afterwards, if the attacker sends the packet for disconnecting, which is data (`p[UD]`), to the Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, all the Subscribers (Listeners) connected to the Publisher (Talker) will not receive any data and their connection will be disconnected. Moreover, if this disconnection packet is sent continuously, the Subscribers (Listeners) trying to connect will not be able to do so. Since the initial commit of the `SecurityManager.cpp` code (`init`, `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability in RTPS Packets Used by SROS2 has been present prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7.
Severity ?
9.7 (Critical)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| eProsima | Fast-DDS |
Affected:
>= 2.12.0, < 2.12.2
Affected: >= 2.11.0, < 2.11.3 Affected: >= 2.7.0, < 2.10.3 Affected: < 2.6.7 Affected: FastDDS = 2.10.2-2 Affected: RMW - FastDDS = 7.1.1-2 Affected: FastDDS = 2.6.6-1 Affected: RMW - FastDDS = 6.2.3.1 Affected: FastDDS = 2.3.6-6 Affected: RMW - FastDDS = 5.0.2-1 Affected: FastDDS = 2.1.4-1 Affected: RMW - FastDDS = 1.3.2-1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/072cbc9d6a71d869a5cbed1873c0cdd6cf67cda4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/072cbc9d6a71d869a5cbed1873c0cdd6cf67cda4"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/e1869863c06db7fbb366ae53760fbe6e754be026",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/e1869863c06db7fbb366ae53760fbe6e754be026"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/f07a0213e655202188840b864be4438ae1067a13",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/f07a0213e655202188840b864be4438ae1067a13"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fast_dds",
"vendor": "eprosima",
"versions": [
{
"lessThan": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.11.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.10.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.6.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50257",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T13:51:37.335841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T13:54:54.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c 2.12.2"
},
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.11.3"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.10.3"
},
{
"status": "affected",
"version": "\u003c 2.6.7"
},
{
"status": "affected",
"version": "FastDDS = 2.10.2-2"
},
{
"status": "affected",
"version": "RMW - FastDDS = 7.1.1-2"
},
{
"status": "affected",
"version": "FastDDS = 2.6.6-1"
},
{
"status": "affected",
"version": "RMW - FastDDS = 6.2.3.1"
},
{
"status": "affected",
"version": "FastDDS = 2.3.6-6"
},
{
"status": "affected",
"version": "RMW - FastDDS = 5.0.2-1"
},
{
"status": "affected",
"version": "FastDDS = 2.1.4-1"
},
{
"status": "affected",
"version": "RMW - FastDDS = 1.3.2-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Even with the application of SROS2, due to the issue where the data (`p[UD]`) and `guid` values used to disconnect between nodes are not encrypted, a vulnerability has been discovered where a malicious attacker can forcibly disconnect a Subscriber and can deny a Subscriber attempting to connect. Afterwards, if the attacker sends the packet for disconnecting, which is data (`p[UD]`), to the Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, all the Subscribers (Listeners) connected to the Publisher (Talker) will not receive any data and their connection will be disconnected. Moreover, if this disconnection packet is sent continuously, the Subscribers (Listeners) trying to connect will not be able to do so. Since the initial commit of the `SecurityManager.cpp` code (`init`, `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability in RTPS Packets Used by SROS2 has been present prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T19:22:45.526Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/072cbc9d6a71d869a5cbed1873c0cdd6cf67cda4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/072cbc9d6a71d869a5cbed1873c0cdd6cf67cda4"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/e1869863c06db7fbb366ae53760fbe6e754be026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/e1869863c06db7fbb366ae53760fbe6e754be026"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/f07a0213e655202188840b864be4438ae1067a13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/f07a0213e655202188840b864be4438ae1067a13"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86"
}
],
"source": {
"advisory": "GHSA-v5r6-8mvh-cp98",
"discovery": "UNKNOWN"
},
"title": "Disconnect Vulnerability in RTPS Packets Used by SROS2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50257",
"datePublished": "2024-02-19T19:22:45.526Z",
"dateReserved": "2023-12-05T20:42:59.378Z",
"dateUpdated": "2024-08-14T13:54:54.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42459 (GCVE-0-2023-42459)
Vulnerability from cvelistv5 – Published: 2023-10-16 20:56 – Updated: 2025-02-13 17:09
VLAI?
Title
Malformed DATA submessage leads to bad-free error in Fast-DDS
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). In affected versions specific DATA submessages can be sent to a discovery locator which may trigger a free error. This can remotely crash any Fast-DDS process. The call to free() could potentially leave the pointer in the attackers control which could lead to a double free. This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, and 2.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm"
},
{
"name": "https://github.com/eProsima/Fast-DDS/issues/3207",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/issues/3207"
},
{
"name": "https://github.com/eProsima/Fast-DDS/pull/3824",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/pull/3824"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5568"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T16:15:17.004500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T16:15:25.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c= 2.11.1"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.3"
},
{
"status": "affected",
"version": "\u003c 2.6.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). In affected versions specific DATA submessages can be sent to a discovery locator which may trigger a free error. This can remotely crash any Fast-DDS process. The call to free() could potentially leave the pointer in the attackers control which could lead to a double free. This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, and 2.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415: Double Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-590",
"description": "CWE-590: Free of Memory not on the Heap",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T01:06:14.051Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm"
},
{
"name": "https://github.com/eProsima/Fast-DDS/issues/3207",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/issues/3207"
},
{
"name": "https://github.com/eProsima/Fast-DDS/pull/3824",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/pull/3824"
},
{
"url": "https://www.debian.org/security/2023/dsa-5568"
}
],
"source": {
"advisory": "GHSA-gq8g-fj58-22gm",
"discovery": "UNKNOWN"
},
"title": "Malformed DATA submessage leads to bad-free error in Fast-DDS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42459",
"datePublished": "2023-10-16T20:56:04.284Z",
"dateReserved": "2023-09-08T20:57:45.574Z",
"dateUpdated": "2025-02-13T17:09:23.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39949 (GCVE-0-2023-39949)
Vulnerability from cvelistv5 – Published: 2023-08-11 13:55 – Updated: 2025-02-13 17:03
VLAI?
Title
Improper validation of sequence numbers leading to remotely reachable assertion failure
Summary
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-3jv9-j9x3-95cg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-3jv9-j9x3-95cg"
},
{
"name": "https://github.com/eProsima/Fast-DDS/issues/3236",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/issues/3236"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/v2.9.0/src/cpp/rtps/messages/MessageReceiver.cpp#L1059",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/v2.9.0/src/cpp/rtps/messages/MessageReceiver.cpp#L1059"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39949",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:16:14.050913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:16:30.032Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.9.1"
},
{
"status": "affected",
"version": "\u003c 2.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T03:06:17.242Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-3jv9-j9x3-95cg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-3jv9-j9x3-95cg"
},
{
"name": "https://github.com/eProsima/Fast-DDS/issues/3236",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/issues/3236"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/v2.9.0/src/cpp/rtps/messages/MessageReceiver.cpp#L1059",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/v2.9.0/src/cpp/rtps/messages/MessageReceiver.cpp#L1059"
},
{
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"source": {
"advisory": "GHSA-3jv9-j9x3-95cg",
"discovery": "UNKNOWN"
},
"title": "Improper validation of sequence numbers leading to remotely reachable assertion failure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39949",
"datePublished": "2023-08-11T13:55:14.350Z",
"dateReserved": "2023-08-07T16:27:27.074Z",
"dateUpdated": "2025-02-13T17:03:18.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39948 (GCVE-0-2023-39948)
Vulnerability from cvelistv5 – Published: 2023-08-11 13:51 – Updated: 2025-02-13 17:03
VLAI?
Title
Uncaught fastcdr exception (Unexpected CDR type received) crashing fastdds
Summary
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0 and 2.6.5, the `BadParamException` thrown by Fast CDR is not caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-x9pj-vrgf-f68f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-x9pj-vrgf-f68f"
},
{
"name": "https://github.com/eProsima/Fast-DDS/issues/3422",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/issues/3422"
},
{
"name": "https://github.com/eProsima/Fast-DDS/files/11117197/fastdds-assert.pcap.zip",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/files/11117197/fastdds-assert.pcap.zip"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39948",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:17:56.742500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:18:58.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.5"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0 and 2.6.5, the `BadParamException` thrown by Fast CDR is not caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T03:06:18.795Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-x9pj-vrgf-f68f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-x9pj-vrgf-f68f"
},
{
"name": "https://github.com/eProsima/Fast-DDS/issues/3422",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/issues/3422"
},
{
"name": "https://github.com/eProsima/Fast-DDS/files/11117197/fastdds-assert.pcap.zip",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/files/11117197/fastdds-assert.pcap.zip"
},
{
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"source": {
"advisory": "GHSA-x9pj-vrgf-f68f",
"discovery": "UNKNOWN"
},
"title": "Uncaught fastcdr exception (Unexpected CDR type received) crashing fastdds"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39948",
"datePublished": "2023-08-11T13:51:38.871Z",
"dateReserved": "2023-08-07T16:27:27.074Z",
"dateUpdated": "2025-02-13T17:03:18.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39947 (GCVE-0-2023-39947)
Vulnerability from cvelistv5 – Published: 2023-08-11 13:43 – Updated: 2025-02-13 17:03
VLAI?
Title
Another heap overflow in push_back_helper
Summary
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit 3492270, malformed `PID_PROPERTY_LIST` parameters cause heap overflow at a different program counter. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.
Severity ?
8.2 (High)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-mf55-5747-c4pv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-mf55-5747-c4pv"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39947",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T14:09:15.744600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T14:09:26.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.6"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.9.2"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.2"
},
{
"status": "affected",
"version": "= 2.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit 3492270, malformed `PID_PROPERTY_LIST` parameters cause heap overflow at a different program counter. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T03:06:10.852Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-mf55-5747-c4pv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-mf55-5747-c4pv"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc"
},
{
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"source": {
"advisory": "GHSA-mf55-5747-c4pv",
"discovery": "UNKNOWN"
},
"title": "Another heap overflow in push_back_helper"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39947",
"datePublished": "2023-08-11T13:43:26.484Z",
"dateReserved": "2023-08-07T16:27:27.074Z",
"dateUpdated": "2025-02-13T17:03:17.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39946 (GCVE-0-2023-39946)
Vulnerability from cvelistv5 – Published: 2023-08-11 13:37 – Updated: 2025-02-13 17:03
VLAI?
Title
Heap overflow in push_back_helper due to a CDR message
Summary
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet'ized length and then to copy the data into `properties_.data`. At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.
Severity ?
8.2 (High)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.179Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-j297-rg6j-m7hx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-j297-rg6j-m7hx"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39946",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T14:22:11.929256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T14:22:26.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.6"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.9.2"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.2"
},
{
"status": "affected",
"version": "= 2.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet\u0027ized length and then to copy the data into `properties_.data`. At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T03:06:14.033Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-j297-rg6j-m7hx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-j297-rg6j-m7hx"
},
{
"name": "https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc"
},
{
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"source": {
"advisory": "GHSA-j297-rg6j-m7hx",
"discovery": "UNKNOWN"
},
"title": "Heap overflow in push_back_helper due to a CDR message"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39946",
"datePublished": "2023-08-11T13:37:07.478Z",
"dateReserved": "2023-08-07T16:27:27.074Z",
"dateUpdated": "2025-02-13T17:03:16.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39945 (GCVE-0-2023-39945)
Vulnerability from cvelistv5 – Published: 2023-08-11 13:21 – Updated: 2025-02-13 17:03
VLAI?
Title
Malformed serialized data in a data submessage leads to unhandled exception
Summary
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue.
Severity ?
8.2 (High)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-2rq6-8j7x-frr9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-2rq6-8j7x-frr9"
},
{
"name": "https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-exception-20230509-02.pcap",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-exception-20230509-02.pcap"
},
{
"name": "https://github.com/eProsima/Fast-CDR/blob/v1.0.26/src/cpp/Cdr.cpp#L72-L79",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-CDR/blob/v1.0.26/src/cpp/Cdr.cpp#L72-L79"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39945",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:53:33.089778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:53:52.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.5"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.9.2"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T03:06:12.473Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-2rq6-8j7x-frr9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-2rq6-8j7x-frr9"
},
{
"name": "https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-exception-20230509-02.pcap",
"tags": [
"x_refsource_MISC"
],
"url": "https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-exception-20230509-02.pcap"
},
{
"name": "https://github.com/eProsima/Fast-CDR/blob/v1.0.26/src/cpp/Cdr.cpp#L72-L79",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-CDR/blob/v1.0.26/src/cpp/Cdr.cpp#L72-L79"
},
{
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"source": {
"advisory": "GHSA-2rq6-8j7x-frr9",
"discovery": "UNKNOWN"
},
"title": "Malformed serialized data in a data submessage leads to unhandled exception"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39945",
"datePublished": "2023-08-11T13:21:53.298Z",
"dateReserved": "2023-08-07T16:27:27.074Z",
"dateUpdated": "2025-02-13T17:03:16.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39534 (GCVE-0-2023-39534)
Vulnerability from cvelistv5 – Published: 2023-08-11 13:12 – Updated: 2025-02-13 17:03
VLAI?
Title
Malformed GAP submessage triggers assertion failure
Summary
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0, 2.9.2, and 2.6.5, a malformed GAP submessage can trigger assertion failure, crashing FastDDS. Version 2.10.0, 2.9.2, and 2.6.5 contain a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fcr6-x23w-94wp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fcr6-x23w-94wp"
},
{
"name": "https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-assert-230509.pcap",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-assert-230509.pcap"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/v2.9.1/include/fastdds/rtps/common/SequenceNumber.h#L238-L252",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/v2.9.1/include/fastdds/rtps/common/SequenceNumber.h#L238-L252"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/v2.9.1/src/cpp/rtps/reader/StatefulReader.cpp#L863",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/v2.9.1/src/cpp/rtps/reader/StatefulReader.cpp#L863"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39534",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T18:56:42.571569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T18:56:49.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.5"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0, 2.9.2, and 2.6.5, a malformed GAP submessage can trigger assertion failure, crashing FastDDS. Version 2.10.0, 2.9.2, and 2.6.5 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T03:06:15.558Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fcr6-x23w-94wp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fcr6-x23w-94wp"
},
{
"name": "https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-assert-230509.pcap",
"tags": [
"x_refsource_MISC"
],
"url": "https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-assert-230509.pcap"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/v2.9.1/include/fastdds/rtps/common/SequenceNumber.h#L238-L252",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/v2.9.1/include/fastdds/rtps/common/SequenceNumber.h#L238-L252"
},
{
"name": "https://github.com/eProsima/Fast-DDS/blob/v2.9.1/src/cpp/rtps/reader/StatefulReader.cpp#L863",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-DDS/blob/v2.9.1/src/cpp/rtps/reader/StatefulReader.cpp#L863"
},
{
"url": "https://www.debian.org/security/2023/dsa-5481"
}
],
"source": {
"advisory": "GHSA-fcr6-x23w-94wp",
"discovery": "UNKNOWN"
},
"title": "Malformed GAP submessage triggers assertion failure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39534",
"datePublished": "2023-08-11T13:12:00.633Z",
"dateReserved": "2023-08-03T16:27:36.264Z",
"dateUpdated": "2025-02-13T17:03:12.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38425 (GCVE-0-2021-38425)
Vulnerability from cvelistv5 – Published: 2022-05-05 15:24 – Updated: 2025-04-16 16:23
VLAI?
Title
eProsima Fast DDS Network Amplification
Summary
eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure.
Severity ?
7.5 (High)
CWE
- CWE-406 - Insufficient Control of Network Message Volume (Network Amplification)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), Víctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:44:22.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-DDS"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-38425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:56:35.212159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:23:11.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "2.4.0 (#2269)",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), V\u00edctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research."
}
],
"descriptions": [
{
"lang": "en",
"value": "eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-406",
"description": "CWE-406 Insufficient Control of Network Message Volume (Network Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T15:24:24.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS"
}
],
"solutions": [
{
"lang": "en",
"value": "eProsima recommends users apply the latest Fast DDS patches.\nhttps://github.com/eProsima/Fast-DDS"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "eProsima Fast DDS Network Amplification",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2021-38425",
"STATE": "PUBLIC",
"TITLE": "eProsima Fast DDS Network Amplification"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fast DDS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.0 (#2269)"
}
]
}
}
]
},
"vendor_name": "eProsima"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), V\u00edctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-406 Insufficient Control of Network Message Volume (Network Amplification)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
},
{
"name": "https://github.com/eProsima/Fast-DDS",
"refsource": "CONFIRM",
"url": "https://github.com/eProsima/Fast-DDS"
}
]
},
"solution": [
{
"lang": "en",
"value": "eProsima recommends users apply the latest Fast DDS patches.\nhttps://github.com/eProsima/Fast-DDS"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-38425",
"datePublished": "2022-05-05T15:24:24.000Z",
"dateReserved": "2021-08-10T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:23:11.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15137 (GCVE-0-2019-15137)
Vulnerability from cvelistv5 – Published: 2019-08-18 15:44 – Updated: 2024-08-05 00:34
VLAI?
Summary
The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://arxiv.org/abs/1908.05310"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-RTPS/issues/441"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-18T15:44:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://arxiv.org/abs/1908.05310"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-RTPS/issues/441"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://arxiv.org/abs/1908.05310",
"refsource": "MISC",
"url": "https://arxiv.org/abs/1908.05310"
},
{
"name": "https://github.com/eProsima/Fast-RTPS/issues/441",
"refsource": "MISC",
"url": "https://github.com/eProsima/Fast-RTPS/issues/441"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15137",
"datePublished": "2019-08-18T15:44:12",
"dateReserved": "2019-08-18T00:00:00",
"dateUpdated": "2024-08-05T00:34:53.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15136 (GCVE-0-2019-15136)
Vulnerability from cvelistv5 – Published: 2019-08-18 15:43 – Updated: 2024-08-05 00:34
VLAI?
Summary
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://arxiv.org/abs/1908.05310"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/eProsima/Fast-RTPS/issues/443"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-18T15:43:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://arxiv.org/abs/1908.05310"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/eProsima/Fast-RTPS/issues/443"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://arxiv.org/abs/1908.05310",
"refsource": "MISC",
"url": "https://arxiv.org/abs/1908.05310"
},
{
"name": "https://github.com/eProsima/Fast-RTPS/issues/443",
"refsource": "MISC",
"url": "https://github.com/eProsima/Fast-RTPS/issues/443"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15136",
"datePublished": "2019-08-18T15:43:46",
"dateReserved": "2019-08-18T00:00:00",
"dateUpdated": "2024-08-05T00:34:53.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}