| عنوان | suvarchal docker-mcp-server 0.1.0 Command Injection |
|---|
| الوصف | A command injection vulnerability (CWE-78) has been identified in docker-mcp-server, specifically within the src/index.ts component. Multiple MCP tool handlers—including stop_container, remove_container, and pull_image—construct shell command strings using unsanitized attacker-controlled input (e.g., container names or image tags) and execute them via execAsync. An attacker with network access to the MCP/HTTP interface can supply malicious input containing shell metacharacters, leading to arbitrary OS command execution with the privileges of the server process. This can result in full host compromise, including data exposure, integrity loss, and service disruption. Versions up to and including 0.1.0 are confirmed affected. |
|---|
| المصدر | ⚠️ https://github.com/suvarchal/docker-mcp/issues/3 |
|---|
| المستخدم | BruceJin (UID 96538) |
|---|
| ارسال | 24/03/2026 09:45 AM (20 أيام منذ) |
|---|
| الاعتدال | 07/04/2026 03:42 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 355748 [suvarchal docker-mcp-server حتى 0.1.0 HTTP Interface src/index.ts stop_container/remove_container/pull_image تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|