Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. The vulnerability stems from the exposure of dangerous Python built-in functions (__import__, getattr, hasattr) in the execution namespace and the direct use of exec() to execute user-supplied code. An attacker can craft malicious queries to execute arbitrary Python code, leading to AWS credential theft (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), file system access, environment variable disclosure, and potential system compromise. The vulnerability allows attackers to bypass intended security controls and gain unauthorized access to sensitive AWS resources and credentials stored in the server's environment.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
AWS Resources MCP Server 安全漏洞
Vulnerability Description
AWS Resources MCP Server是Bary Huang个人开发者的一个基于Python的MCP服务器。 AWS Resources MCP Server 0.1.0版本存在安全漏洞,该漏洞源于execute_query方法输入验证不足,可能导致远程代码执行和AWS凭据泄露。
CVSS Information
N/A
Vulnerability Type
N/A