ait-core 3.1.0

Direct Vulnerabilities

Known vulnerabilities in the ait-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Improper Control of Generation of Code ('Code Injection') ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') in the `wait` function. An attacker can execute arbitrary code by supplying a crafted string. Note: Although the eval function is handy, it is inherently insecure. It is recommended to use third-party libraries that provide the same functionality but sanitise the input to handle expression evaluation securely. How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for `ait-core`.	[0,)
C SQL Injection ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to SQL Injection via the `query_packets` and `insert` functions. An attacker can execute arbitrary SQL commands by exploiting these vulnerabilities. Note: Back-end database implementation also provides the insert function that handles the build of SQL query statements in a partially secure way by using the values (‘?’) separately and deferring the query build to the database library. The exact implementation approach is recommended for functions that build a SQL query string. How to fix SQL Injection? There is no fixed version for `ait-core`.	[0,)
C Improper Control of Generation of Code ('Code Injection') ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via a crafted packet. An attacker can execute arbitrary code by sending a maliciously crafted packet to the server. Note: Although the eval function is handy, it is inherently insecure. It is recommended to use third-party libraries that provide the same functionality but sanitise the input to handle expression evaluation securely. How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for `ait-core`.	[0,)
H Cleartext Transmission of Sensitive Information ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the use of unencrypted channels to exchange data over the network. An attacker can execute arbitrary code by performing a man-in-the-middle attack. Notes: In the exploitation scenario, there two vulnerabilities: ZMQ communication is unencrypted. Use of Pickle To prevent the RCE, it is recommended to resolve both issues. Although replacing the plain ZMQ communication with ZMQ SSH Tunnelling might be tempting, more is needed. It will mitigate the MitM attacks; however, given that the TLM instrument opens a port and connects to a telemetry source without any verification, another attack vector emerges for exploitation – in case the bad actor can access the telemetry source host, they can stop a telemetry source and start their own with a malicious payload. How to fix Cleartext Transmission of Sensitive Information? There is no fixed version for `ait-core`.	[0,)

Vulnerability

Vulnerable Version

Improper Control of Generation of Code ('Code Injection')

ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') in the wait function. An attacker can execute arbitrary code by supplying a crafted string.

Note: Although the eval function is handy, it is inherently insecure. It is recommended to use third-party libraries that provide the same functionality but sanitise the input to handle expression evaluation securely.

How to fix Improper Control of Generation of Code ('Code Injection')?

There is no fixed version for ait-core.

[0,)

SQL Injection

ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions

Affected versions of this package are vulnerable to SQL Injection via the query_packets and insert functions. An attacker can execute arbitrary SQL commands by exploiting these vulnerabilities.

Note: Back-end database implementation also provides the insert function that handles the build of SQL query statements in a partially secure way by using the values (‘?’) separately and deferring the query build to the database library. The exact implementation approach is recommended for functions that build a SQL query string.

How to fix SQL Injection?

There is no fixed version for ait-core.

[0,)

Improper Control of Generation of Code ('Code Injection')

ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via a crafted packet. An attacker can execute arbitrary code by sending a maliciously crafted packet to the server.

How to fix Improper Control of Generation of Code ('Code Injection')?

There is no fixed version for ait-core.

[0,)

Cleartext Transmission of Sensitive Information

ait-core is a NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions

Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the use of unencrypted channels to exchange data over the network. An attacker can execute arbitrary code by performing a man-in-the-middle attack.

Notes:

In the exploitation scenario, there two vulnerabilities:

ZMQ communication is unencrypted.
Use of Pickle

To prevent the RCE, it is recommended to resolve both issues. Although replacing the plain ZMQ communication with ZMQ SSH Tunnelling might be tempting, more is needed. It will mitigate the MitM attacks; however, given that the TLM instrument opens a port and connects to a telemetry source without any verification, another attack vector emerges for exploitation – in case the bad actor can access the telemetry source host, they can stop a telemetry source and start their own with a malicious payload.

How to fix Cleartext Transmission of Sensitive Information?

There is no fixed version for ait-core.

[0,)

ait-core@3.1.0

NASA JPL's Ground Data System toolkit for Instrument and CubeSat Missions

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically