| शीर्षक | indrasishbanerjee aem-mcp-server 1.0.0 Server-Side Request Forgery |
|---|
| विवरण | A Server-Side Request Forgery (SSRF) vulnerability exists in the aem-mcp-server (version 1.0.0) within the getAssetMetadata tool. The application fails to validate the assetPath parameter, which is directly passed to an internal Axios-based HTTP client as this.httpClient.get(`${assetPath}.json`). An attacker can exploit this by providing a crafted protocol-relative URL (e.g., //127.0.0.1) or an absolute URL to force the server to initiate unauthorized outbound requests. This allows for internal port scanning, sensitive cloud metadata exfiltration, and probing of internal network resources that are not publicly accessible, potentially compromising the security of the entire infrastructure. |
|---|
| स्रोत | ⚠️ https://github.com/indrasishbanerjee/aem-mcp-server/issues/3 |
|---|
| उपयोगकर्ता | ccccccctfi (UID 97498) |
|---|
| सबमिशन | 11/05/2026 10:00 AM (24 दिन पहले) |
|---|
| संयम | 31/05/2026 04:24 PM (20 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367553 [indrasishbanerjee aem-mcp-server तक b5f833aef9b5dfd17a5991b3b18a8a11edbdc583 Axios Request Flow src/mcp-server.ts getAssetMetadata assetPath अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|