Advisories for Pypi/Ait-Core package

2026

NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker)

The Binary Stream Capture (BSC) component exposes an unauthenticated HTTP API for dynamically creating packet capture “handlers.” Because the code blindly trusts path‑related form fields, a remote client can: Bypass the configured log root and direct BSC to log to arbitrary filesystem paths (path traversal / directory escape), and Append attacker‑controlled data to those files, using the privileges of theait-bsc process. There are two ways for a remote attacker to …

2024

NASA AIT-Core vulnerable to SQL Injection

NASA AIT-Core v2.5.2 was discovered to contain multiple SQL injection vulnerabilities via the query_packets and insert functions.

NASA AIT-Core vulnerable to remote code execution

An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands.

NASA AIT-Core vulnerable to remote code execution

An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet.

NASA AIT-Core vulnerable to remote code execution

An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string.

NASA AIT-Core uses unencrypted channels to exchange data over the network

NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack.