CVE-2024-35058

Vulnerability

Overview

CVE-2024-35058 is a local code execution vulnerability in NASA AIT-Core version 2.5.2. The root cause is the use of Python's eval() function within the API wait function defined in ait/core/api.py. This function accepts user-supplied conditions as Python string expressions, which are then evaluated without proper sanitization [1][4].

Exploitation

An attacker with access to the API can supply a crafted Python string to the wait function. Since eval() directly executes arbitrary Python code, the attacker can run any system commands or Python operations. For example, a payload such as "__import__('os').system('id')" would be executed [4]. No authentication is required if the API is exposed, though access to the API endpoint is a prerequisite.

Impact

Successful exploitation allows an attacker to execute arbitrary code locally on the server running AIT-Core. This could lead to full compromise of the affected system, including data exfiltration, installation of backdoors, or disruption of mission-critical telemetry and commanding functions [1][4].

Mitigation

As of the publication date, no official patch has been released. The vulnerability is listed in the NVD with no fix available [3]. Users are advised to restrict network access to the AIT-Core API, review code for misuse of eval(), and monitor the project's GitHub repository for updates [2][3].