Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dive allows One-click Remote Code Execution through Deep Links for MCP Install
Vulnerability Description
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Dive 代码注入漏洞
Vulnerability Description
Dive是OpenAgentPlatform开源的一个MCP主机桌面应用程序。 Dive 0.13.0之前版本存在代码注入漏洞,该漏洞源于特制深度链接可在未经充分用户确认的情况下安装攻击者控制的MCP服务器配置,可能导致在受害者机器上执行任意本地命令。
CVSS Information
N/A
Vulnerability Type
N/A