CVE-2023-24011

High

Published: 09 January 2025

Published

09 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

EPSS Score 0.0012 30.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24011 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-17 Public Key Infrastructure Certificates good match

prevent

Mandates validation of public key certificates prior to use, directly addressing the improper PKCS7_verify implementation flaw in certificate and permission document verification.

SR-11 Component Authenticity good match

prevent

Requires verification of component authenticity prior to or during connections, preventing maliciously crafted DDS Participants or ROS 2 Nodes from compromising the databus.

SI-2 Flaw Remediation good match

preventrecover

Ensures timely flaw remediation to patch the non-compliant OpenSSL PKCS7_verify usage exploited by attackers with valid certificates.

NVD Description

An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This…

is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

Deeper analysisAI

CVE-2023-24011 is a vulnerability arising from a non-compliant implementation of permission document verification in some DDS vendors, specifically due to improper use of the OpenSSL PKCS7_verify function for validating S/MIME signatures. It affects secure DDS databus systems, enabling exploitation through vulnerable attributes in the configuration of PKCS#7 certificate validation. Components impacted include DDS Participants and ROS 2 Nodes that rely on these mechanisms.

The attack scenario involves an unauthenticated attacker over the network (AV:N/AC:L/PR:N) crafting malicious DDS Participants or ROS 2 Nodes equipped with valid certificates. Successful exploitation grants full control over the targeted secure DDS databus system, with a CVSS v3.1 score of 8.2 (C:H/I:N/A:L/S:U), primarily exposing sensitive information (CWE-200) while causing limited availability impact.

Advisories and related discussions are available at https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d and https://github.com/ros2/sros2/issues/282, which provide further details on the issue in the context of DDS and ROS 2 implementations.

Details

CWE(s): CWE-200

CVEs Like This One

CVE-2026-24870Shared CWE-200

CVE-2026-4020Shared CWE-200

CVE-2025-21620Shared CWE-200

CVE-2025-62188Shared CWE-200

CVE-2024-13562Shared CWE-200

CVE-2024-57716Shared CWE-200

CVE-2026-27161Shared CWE-200

CVE-2026-21260Shared CWE-200

CVE-2025-24102Shared CWE-200

CVE-2024-12142Shared CWE-200

References

https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d
cve-coordination@incibe.es
https://github.com/ros2/sros2/issues/282
cve-coordination@incibe.es
https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d
134c704f-9b21-4f2e-91b3-4a467353bcc0