RVD icon indicating copy to clipboard operation
RVD copied to clipboard

Published 20 hours ago verified publisher icon aliasrobotics

RVD#12: Authentication bypass vulnerability in SoftBank's Pepper and NAO robots's web console

Open aliasbot opened this issue 7 years ago • 3 comments 

{
    "id": 12,
    "title": "RVD#12: Authentication bypass vulnerability in SoftBank's Pepper and NAO robots's web console",
    "type": "vulnerability",
    "description": " An authentication bypass vulnerability in SoftBank's Pepper and NAO robots's web console could allow remote attackers to gain access to restricted resources and alter settings via web browser request tampering. Affects all versions",
    "cwe": "CWE-287",
    "cve": "None",
    "keywords": [
        "robot: NAO",
        "robot: Pepper",
        "vendor: SoftBank Robotics",
        "vulnerability"
    ],
    "system": "NAO / Pepper",
    "vendor": "SoftBank Robotics",
    "severity": {
        "rvss-score": 7.9,
        "rvss-vector": "RVSS:1.0/AV:IN/AC:L/PR:N/UI:R/Y:M/S:U/C:H/I:H/A:H/H:N",
        "severity-description": "High",
        "cvss-score": 8.8,
        "cvss-vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/"
    },
    "links": [
        "https://github.com/aliasrobotics/RVD/issues/14"
    ],
    "flaw": {
        "phase": "testing",
        "specificity": "general-issue",
        "architectural-location": "platform code",
        "application": "NaoQi",
        "subsystem": "web console",
        "package": "N/A",
        "languages": "None",
        "date-detected": "2017-03-01",
        "detected-by": "Cesar Cerrudo and Lucas Apa from IOActive",
        "detected-by-method": "Testing dynamic",
        "date-reported": "2017-03-01",
        "reported-by": "Alias Robotics",
        "reported-by-relationship": "Security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/14",
        "reproducibility": "Always",
        "trace": "N/A",
        "reproduction": "N/A",
        "reproduction-image": "N/A"
    },
    "exploitation": {
        "description": "N/A",
        "exploitation-image": "N/A",
        "exploitation-vector": "N/A"
    },
    "mitigation": {
        "description": "N/A",
        "pull-request": "N/A",
        "date-mitigation": null
    }
}

aliasbot avatar Aug 07 '18 16:08 aliasbot

Feedback (automatically generated):

  • FIXME: Flaw not identified as a vulnerability, weakness or exposure. Have you included # Vulnerability (or Weakness or Exposure) report at the top of the ticket?, see Vulnerability report template for more information or review other tickets to get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

github-actions[bot] avatar Oct 27 '19 17:10 github-actions[bot]

Feedback (automatically generated):

  • FIXME: Robot or Robot component not present in summary table or invalid, see Vulnerability report template for more information or review other tickets and get inspiration

Please review the feedback above. Once addressed, either request the removal of the malformed label to trigger another automatic review.

github-actions[bot] avatar Oct 29 '19 13:10 github-actions[bot]

Triage Completed.

glerapic avatar Jun 02 '20 09:06 glerapic