CVE-2024-35061

HIGH

NASA AIT-Core < 2.5.2 - Missing Encryption of Sensitive Data

Title source: llm

Description

NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution.

References (3)

Core 3

Core References

Not Applicable

https://github.com/advisories/GHSA-jqff-8g2v-642h

Third Party Advisory

https://github.com/advisories/GHSA-qv6x-53jj-vw59

Exploit

https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze

Scores

CVSS v3 7.3

EPSS 0.0055

EPSS Percentile 41.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-311

Status published

Products (2)

nasa/ait_core < 2.5.2

pypi/ait-core 0PyPI

Published May 21, 2024

Tracked Since Feb 18, 2026