CVE-2024-35061 - Vulnerability Details - OpenCVE

Description

NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution.

Published: 2024-05-21

Score: 7.3 High

EPSS: 1.4% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:nasa:ait_core:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-qv6x-53jj-vw59	NASA AIT-Core uses unencrypted channels to exchange data over the network

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0139.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/advisories/GHSA-jqff-8g2v-642h
https://github.com/advisories/GHSA-qv6x-53jj-vw59
https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze

History

Wed, 04 Jun 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nasa Nasa ait Core
CPEs		cpe:2.3:a:nasa:ait_core::::::::
Vendors & Products		Nasa Nasa ait Core

Subscriptions

Nasa Ait Core

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-05-21T00:00:00.000Z

Updated: 2024-08-02T03:07:46.463Z

Reserved: 2024-05-09T00:00:00.000Z

Link: CVE-2024-35061

Vulnrichment

Updated: 2024-08-02T03:07:46.463Z

NVD

Status : Analyzed

Published: 2024-05-21T19:15:10.390

Modified: 2025-06-03T14:16:41.090

Link: CVE-2024-35061

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-311

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-35061", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T03:07:46.463Z", "dateReserved": "2024-05-09T00:00:00.000Z", "datePublished": "2024-05-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-17T15:50:17.724Z"}, "descriptions": [{"lang": "en", "value": "NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze"}, {"url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59"}, {"url": "https://github.com/advisories/GHSA-jqff-8g2v-642h"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35061", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T18:56:49.276087Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nasa:ait-core:2.5.2:*:*:*:*:*:*:*"], "vendor": "nasa", "product": "ait-core", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.5.2"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:28.475Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.463Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-jqff-8g2v-642h", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-jqff-8g2v-642h", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.463Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35061", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T18:56:49.276087Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nasa:ait-core:2.5.2:*:*:*:*:*:*:*"], "vendor": "nasa", "product": "ait-core", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.5.2"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-22T19:00:56.955Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze"}, {"url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59"}, {"url": "https://github.com/advisories/GHSA-jqff-8g2v-642h"}], "descriptions": [{"lang": "en", "value": "NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-17T15:50:17.724928"}}}, "cveMetadata": {"cveId": "CVE-2024-35061", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:07:46.463Z", "dateReserved": "2024-05-09T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-05-21T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nasa:ait_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "63A0CA8C-1E29-4DEA-B94A-FF743059D31E", "versionEndIncluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution."}, {"lang": "es", "value": "Se descubri\u00f3 que NASA AIT-Core v2.5.2 utiliza canales no cifrados para intercambiar datos a trav\u00e9s de la red, lo que permite a los atacantes ejecutar un ataque man in the middle."}], "id": "CVE-2024-35061", "lastModified": "2025-06-03T14:16:41.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-21T19:15:10.390", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://github.com/advisories/GHSA-jqff-8g2v-642h"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://github.com/advisories/GHSA-jqff-8g2v-642h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}