CVE-2024-35061 - Vulnerability Details - OpenCVE

NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01474.

Key SSVC decision points have not yet been added.

Vendors	Products
Nasa	Ait Core

Configuration 1 [-]

cpe:2.3:a:nasa:ait_core:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-qv6x-53jj-vw59	NASA AIT-Core uses unencrypted channels to exchange data over the network

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/advisories/GHSA-jqff-8g2v-642h
https://github.com/advisories/GHSA-qv6x-53jj-vw59
https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze

History

Wed, 04 Jun 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nasa Nasa ait Core
CPEs		cpe:2.3:a:nasa:ait_core::::::::
Vendors & Products		Nasa Nasa ait Core

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-05-21T00:00:00

Updated: 2024-08-02T03:07:46.463Z

Reserved: 2024-05-09T00:00:00

Link: CVE-2024-35061

Vulnrichment

Updated: 2024-08-02T03:07:46.463Z

NVD

Status : Analyzed

Published: 2024-05-21T19:15:10.390

Modified: 2025-06-03T14:16:41.090

Link: CVE-2024-35061

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-35061", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T03:07:46.463Z", "dateReserved": "2024-05-09T00:00:00", "datePublished": "2024-05-21T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-17T15:50:17.724928"}, "descriptions": [{"lang": "en", "value": "NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze"}, {"url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59"}, {"url": "https://github.com/advisories/GHSA-jqff-8g2v-642h"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35061", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T18:56:49.276087Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nasa:ait-core:2.5.2:*:*:*:*:*:*:*"], "vendor": "nasa", "product": "ait-core", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.5.2"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:28.475Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.463Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-jqff-8g2v-642h", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-jqff-8g2v-642h", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.463Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35061", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T18:56:49.276087Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nasa:ait-core:2.5.2:*:*:*:*:*:*:*"], "vendor": "nasa", "product": "ait-core", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.5.2"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-22T19:00:56.955Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze"}, {"url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59"}, {"url": "https://github.com/advisories/GHSA-jqff-8g2v-642h"}], "descriptions": [{"lang": "en", "value": "NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-17T15:50:17.724928"}}}, "cveMetadata": {"cveId": "CVE-2024-35061", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:07:46.463Z", "dateReserved": "2024-05-09T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-05-21T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nasa:ait_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "63A0CA8C-1E29-4DEA-B94A-FF743059D31E", "versionEndIncluding": "2.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution."}, {"lang": "es", "value": "Se descubri\u00f3 que NASA AIT-Core v2.5.2 utiliza canales no cifrados para intercambiar datos a trav\u00e9s de la red, lo que permite a los atacantes ejecutar un ataque man in the middle."}], "id": "CVE-2024-35061", "lastModified": "2025-06-03T14:16:41.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-21T19:15:10.390", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://github.com/advisories/GHSA-jqff-8g2v-642h"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://github.com/advisories/GHSA-jqff-8g2v-642h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-qv6x-53jj-vw59"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.linkedin.com/pulse/remote-code-execution-via-man-in-the-middle-more-ujkze"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}