| शीर्षक | eiceblue spire-doc-mcp-server 1.0.0 Path Traversal |
|---|
| विवरण | spire-doc-mcp-server is documented as operating on Word files under the configured WORD_FILES_PATH directory. Most tools honor that boundary by resolving document_name through get_doc_path(), which rejects traversal in the input file name.
However, the exposed convert_document(document_name, target_format, output_path) tool treats output_path differently. The server forwards attacker-controlled output_path directly into ConversionHandler.convert_document(), which creates the destination directory and saves the converted document there without canonicalization or root-boundary enforcement. A caller can therefore escape WORD_FILES_PATH and create or overwrite converted output files anywhere the service account can write. |
|---|
| स्रोत | ⚠️ https://github.com/eiceblue/spire-doc-mcp-server/issues/1 |
|---|
| उपयोगकर्ता | LittleW (UID 97283) |
|---|
| सबमिशन | 12/04/2026 12:04 PM (2 महीनों पहले) |
|---|
| संयम | 28/04/2026 03:00 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 359962 [eiceblue spire-doc-mcp-server 1.0.0 base.py get_doc_path document_name निर्देशिका ट्रैवर्सल] |
|---|
| अंक | 20 |
|---|