ait-core@2.5.2 vulnerabilities
NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions
-
latest version
2.5.2
-
first published
6 years ago
-
latest version published
9 months ago
-
licenses detected
- [0,)
Direct Vulnerabilities
Known vulnerabilities in the ait-core package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.| Vulnerability | Vulnerable Version |
|---|---|
ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to Arbitrary Command Execution via supplying a crafted YAML file. How to fix Arbitrary Command Execution? There is no fixed version for |
[0,)
|
ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') in the Note: Although the eval function is handy, it is inherently insecure. It is recommended to use third-party libraries that provide the same functionality but sanitise the input to handle expression evaluation securely. How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for |
[0,)
|
ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to SQL Injection via the Note: Back-end database implementation also provides the insert function that handles the build of SQL query statements in a partially secure way by using the values (‘?’) separately and deferring the query build to the database library. The exact implementation approach is recommended for functions that build a SQL query string. How to fix SQL Injection? There is no fixed version for |
[0,)
|
ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via a crafted packet. An attacker can execute arbitrary code by sending a maliciously crafted packet to the server. Note: Although the eval function is handy, it is inherently insecure. It is recommended to use third-party libraries that provide the same functionality but sanitise the input to handle expression evaluation securely. How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for |
[0,)
|
ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for |
[0,)
|
ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the use of unencrypted channels to exchange data over the network. An attacker can execute arbitrary code by performing a man-in-the-middle attack. Notes: In the exploitation scenario, there two vulnerabilities:
To prevent the RCE, it is recommended to resolve both issues. Although replacing the plain ZMQ communication with ZMQ SSH Tunnelling might be tempting, more is needed. It will mitigate the MitM attacks; however, given that the TLM instrument opens a port and connects to a telemetry source without any verification, another attack vector emerges for exploitation – in case the bad actor can access the telemetry source host, they can stop a telemetry source and start their own with a malicious payload. How to fix Cleartext Transmission of Sensitive Information? There is no fixed version for |
[0,)
|