CVE-2023-24012

High

Published: 09 January 2025

Published

09 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

EPSS Score 0.0012 30.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24012 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-13 Cryptographic Protection good match

prevent

Requires selection and correct implementation of cryptographic mechanisms, directly mitigating the non-compliant use of OpenSSL's PKCS7_verify function for S/MIME signature validation.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and remediation of the specific flaw in permission document verification, patching the vulnerable DDS implementation.

SC-17 Public Key Infrastructure Certificates partial match

prevent

Establishes and maintains PKI certificate validation processes to protect against maliciously crafted certificates exploited in DDS Participant authentication.

NVD Description

An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This…

is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

Deeper analysisAI

CVE-2023-24012 is a vulnerability in the validation of PKCS#7 certificates within secure DDS databus systems. It affects DDS Participants or ROS 2 Nodes in implementations by some DDS vendors that employ a non-compliant permission document verification process. The issue stems from an improper use of the OpenSSL PKCS7_verify function when validating S/MIME signatures, allowing exploitation of vulnerable attributes in certificate configurations. The vulnerability carries a CVSS score of 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It was published on 2025-01-09T15:15:11.810.

A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. By arbitrarily crafting malicious DDS Participants or ROS 2 Nodes equipped with valid certificates, the attacker can compromise the targeted secure DDS databus system and gain full control over it. This results in high-impact confidentiality loss, such as exposure of sensitive data, alongside low-impact availability disruption.

Advisories and discussions are documented in references including a GitHub issue at https://github.com/ros2/sros2/issues/282 and technical gists at https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d.

Details

CWE(s): CWE-200

CVEs Like This One

CVE-2026-24870Shared CWE-200

CVE-2026-4020Shared CWE-200

CVE-2025-21620Shared CWE-200

CVE-2025-62188Shared CWE-200

CVE-2024-13562Shared CWE-200

CVE-2024-57716Shared CWE-200

CVE-2026-27161Shared CWE-200

CVE-2026-21260Shared CWE-200

CVE-2025-24102Shared CWE-200

CVE-2024-12142Shared CWE-200

References

https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d
cve-coordination@incibe.es
https://github.com/ros2/sros2/issues/282
cve-coordination@incibe.es
https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d
134c704f-9b21-4f2e-91b3-4a467353bcc0