CVE-2024-35056: 
Python vulnerability analysis and mitigation

NASA AIT-Core v2.5.2 contains multiple SQL injection vulnerabilities discovered in the query_packets and insert functions. The vulnerability was disclosed on May 21, 2024 and assigned CVE-2024-35056. The affected software is the AMMOS Instrument Toolkit (AIT), which is a Python-based software suite designed for Ground Data Systems (GDS), Electronic Ground Support Equipment (EGSE), commanding, telemetry uplink/downlink, and sequencing for both instrument and CubeSat missions (GitHub Advisory, LinkedIn Post).

The vulnerability exists in both InfluxDB and SQLite3 backend implementations found in the ait/core/db.py file. The query_packets function builds SQL query strings in an insecure way, enabling SQL injection. While the vulnerability is less severe in InfluxDB due to limited SQL functionality, the SQLite implementation can potentially be exploited if an attacker modifies the tlm.yaml file containing packet definitions. The CVSS v3.1 base score is 9.8 (Critical) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

Depending on the system configuration, this vulnerability can lead to command injection, lateral movements, and potential privilege escalation. The impact is particularly concerning as AIT-Core processes significant amounts of telemetry packets, and the vulnerable implementation approach might be extended to support other databases, increasing the attack surface (LinkedIn Post).

The recommended mitigation is to implement secure SQL query building by using parameterized queries with placeholder values ('?') and deferring query building to the database library, similar to the existing implementation in the insert function (LinkedIn Post).