CVE-2021-37146: 
Linux Debian vulnerability analysis and mitigation

An infinite loop vulnerability was discovered in Open Robotics roscomm XMLRPC server affecting ROS Melodic through version 1.4.11 and ROS Noetic through version 1.15.11. The vulnerability was identified and disclosed on September 27, 2021. The affected systems include the roscomm package in ROS (Robot Operating System) Melodic and Noetic distributions (ROS Melodic, ROS Noetic).

The vulnerability exists in the XMLRPC server component of roscomm where a malformed XMLRPC request would cause roscore to spend excessive time processing the request. This vulnerability allows remote attackers to cause a Denial of Service in roscomm via a crafted XMLRPC call. The issue has been assigned a CVSS v3.1 base score of 7.5 (High) (NVD).

The primary impact of this vulnerability is the potential for Denial of Service attacks against the ROS system. When exploited, the vulnerability causes roscore to become unresponsive due to excessive processing time of malformed requests. However, the impact was rated as low by the ROS team since an attacker with access to roscore could perform various other denial-of-service attacks or worse (ROS Melodic).

The vulnerability was fixed in ros_comm version 1.14.12 for ROS Melodic and version 1.15.13 for ROS Noetic. The fix makes the XMLRPC server in roscore reject malformed requests. Users should upgrade to these or later versions to mitigate the vulnerability (ROS Melodic, ROS Noetic).

The vulnerability was initially reported by Junfeng Yang from Didi Research America, LLC. The ROS team assessed the vulnerability's impact as low, noting that an attacker with access to roscore could potentially perform other more severe attacks (ROS Melodic).