| 제목 | ZachHandley ZMCPTools 0.2.2 Path Traversal |
|---|
| 설명 | A path traversal vulnerability (CWE-22) has been identified in ZMCPTools version 0.2.2, specifically within the MCP log resource handling code in src/managers/ResourceManager.ts. The resources/read handler accepts a user-controlled logs://{dirname}/content?file={filename} URI and constructs a filesystem path without validating that the resolved path remains under the intended log directory. An attacker with access to the MCP interface can supply ../ sequences in the dirname parameter to read arbitrary local files accessible to the server process, such as /etc/hosts. No fixed version is available at the time of reporting. |
|---|
| 원천 | ⚠️ https://github.com/ZachHandley/ZMCPTools/issues/8 |
|---|
| 사용자 | _Eternity_ (UID 97332) |
|---|
| 제출 | 2026. 04. 14. AM 04:45 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 04. 29. PM 06:53 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 360186 [ZachHandley ZMCPTools 까지 0.2.2 MCP Log Resource ResourceManager.ts dirname 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|