We’ve disclosed3417vulnerabilities
by Snyk Security
Researchers
Upgrade postgresql
to version 13.19, 14.16, 15.11, 16.7, 17.3 or higher.
@modelcontextprotocol/server-filesystem is a MCP server for filesystem access
Affected versions of this package are vulnerable to Directory Traversal in the path validation process. An attacker can access unintended files by supplying a path with a colliding prefix that matches an allowed directory.
Affected versions of this package are vulnerable to HTTP Request Smuggling via incorrect parsing of the trailer
section in HTTP requests. An attacker can bypass firewall or proxy protections by crafting specially formed HTTP requests.
Note:
This is exploitable if the pure Python version of aiohttp is installed or the AIOHTTP_NO_EXTENSIONS
environment variable is enabled.
Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the storage of authentication tokens in plaintext within config.xml
files on the controller. An attacker can gain unauthorized access to sensitive credentials by obtaining Item/Extended Read permissions or direct access to the file system. Additionally, the configuration form does not mask these tokens, allowing them to be observed and captured.
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.