Miggo Logo

CVE-2024-35058: NASA AIT-Core vulnerable to remote code execution

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.23217%
Published
5/21/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ait-corepip<= 2.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions the API wait function as the attack vector. Multiple sources (GitHub advisory, LinkedIn article, and GitHub issue #528) confirm the use of eval() with untrusted input in this function. The eval() function's inherent insecurity when processing uncontrolled strings makes this a clear code injection vulnerability. While other potential vulnerabilities exist in the system (e.g., TLM packet expressions), the CVE-2024-35058 specifically references the wait function as the entry point for RCE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in t** *PI w*it *un*tion o* N*S* *IT-*or* v*.*.* *llows *tt**k*rs to *x**ut* *r*itr*ry *o** vi* supplyin* * *r**t** strin*.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions t** *PI w*it *un*tion *s t** *tt**k v**tor. Multipl* sour**s (*it*u* **visory, Link**In *rti*l*, *n* *it*u* issu* #***) *on*irm t** us* o* `*v*l()` wit* untrust** input in t*is *un*tion. T** `*v*l()`