Common Weakness Enumeration

CWE-73

Allowed

External Control of File Name or Path

Abstraction: Base · Status: Draft

The product allows user input to control or influence paths or file names that are used in filesystem operations.

909 vulnerabilities reference this CWE, most recent first.

GHSA-W882-RF7Q-923G

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30
VLAI
Details

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T18:16:26Z",
    "severity": "LOW"
  },
  "details": "External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing locally.",
  "id": "GHSA-w882-rf7q-923g",
  "modified": "2026-02-10T18:30:41Z",
  "published": "2026-02-10T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21249"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21249"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9PX-XQR4-32J9

Vulnerability from github – Published: 2026-05-12 15:31 – Updated: 2026-05-12 15:31
VLAI
Details

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T15:16:17Z",
    "severity": "CRITICAL"
  },
  "details": "External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.",
  "id": "GHSA-w9px-xqr4-32j9",
  "modified": "2026-05-12T15:31:41Z",
  "published": "2026-05-12T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8043"
    },
    {
      "type": "WEB",
      "url": "https://hub.ivanti.com/s/article/Security-Advisory---Ivanti-Xtraction-CVE-2026-8043?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC64-WMFM-46VW

Vulnerability from github – Published: 2025-09-05 21:32 – Updated: 2025-10-09 03:30
VLAI
Details

A path traversal validation flaw exists in Keycloak’s vault key handling on Windows. The previous fix for CVE-2024-10492 did not account for the Windows file separator (). As a result, a high-privilege administrator could probe for the existence of files outside the expected realm context through crafted vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T20:15:34Z",
    "severity": "LOW"
  },
  "details": "A path traversal validation flaw exists in Keycloak\u2019s vault key handling on Windows. The previous fix for CVE-2024-10492 did not account for the Windows file separator (\\). As a result, a high-privilege administrator could probe for the existence of files outside the expected realm context through crafted vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492.",
  "id": "GHSA-wc64-wmfm-46vw",
  "modified": "2025-10-09T03:30:57Z",
  "published": "2025-09-05T21:32:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10043"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16399"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16400"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-10043"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393549"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFJJ-3HQ8-QWP2

Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T16:15:47Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.",
  "id": "GHSA-wfjj-3hq8-qwp2",
  "modified": "2025-11-04T21:30:59Z",
  "published": "2024-01-10T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47171"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1869"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1869"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WGFW-CPJM-64V6

Vulnerability from github – Published: 2024-01-10 18:30 – Updated: 2025-11-04 21:31
VLAI
Details

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the downloadURL_image parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T16:15:49Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_image` parameter.",
  "id": "GHSA-wgfw-cpjm-64v6",
  "modified": "2025-11-04T21:31:02Z",
  "published": "2024-01-10T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49864"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1880"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1880"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WGMV-5488-H5P5

Vulnerability from github – Published: 2025-01-31 12:33 – Updated: 2025-08-11 15:32
VLAI
Details

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The Drag and Drop Multiple File Upload \u2013 Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.",
  "id": "GHSA-wgmv-5488-h5p5",
  "modified": "2025-08-11T15:32:22Z",
  "published": "2025-01-31T12:33:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12267"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3231973/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00ec7251-3be1-411a-b38e-1782d1691e18?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHJP-VQW5-874C

Vulnerability from github – Published: 2023-10-23 15:30 – Updated: 2024-04-04 08:53
VLAI
Details

Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-23T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "\nDell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.\n\n",
  "id": "GHSA-whjp-vqw5-874c",
  "modified": "2024-04-04T08:53:10Z",
  "published": "2023-10-23T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43074"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000213152/dsa-2023-141-dell-unity-unity-vsa-and-unity-xt-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJ3H-WX8G-X699

Vulnerability from github – Published: 2026-02-02 12:31 – Updated: 2026-02-02 22:03
VLAI
Summary
H2O has an External Control of File Name or Path vulnerability
Details

A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the /3/Parse endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the /3/Frames/framename/export endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ai.h2o:h2o-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.46.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "h2o"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.46.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-5986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T22:03:46Z",
    "nvd_published_at": "2026-02-02T11:16:16Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.",
  "id": "GHSA-wj3h-wx8g-x699",
  "modified": "2026-02-02T22:03:46Z",
  "published": "2026-02-02T12:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5986"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h2oai/h2o-3"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "H2O has an External Control of File Name or Path vulnerability"
}

GHSA-WM45-QH3G-V83F

Vulnerability from github – Published: 2026-07-10 19:34 – Updated: 2026-07-10 19:34
VLAI
Summary
mcp-atlassian: Arbitrary server-side file read via attachment upload
Details

Summary

A client that can invoke MCP tools can read arbitrary files from the server host and exfiltrate them as Atlassian attachments. The attachment-upload tools take a client-supplied file_path and open() it on the server's filesystem.

The upload tools are meant to attach a file from the caller's environment — the client supplies a path expecting it to refer to its own machine. Over a remote transport (HTTP/SSE) that path is instead resolved and read on the server, and the tool offers no way for the client to send file content in place of a server-side path. A remote client therefore reads the server's files — and, in multi-tenant deployments, other tenants' data — instead of its own. (In a local stdio deployment the server runs as the user, so the path refers to the user's own files and reading any path is the intended behavior; the exposure is specific to remote/multi-user transports.)

Details

The upload tools read a client-supplied path directly on the server:

  • src/mcp_atlassian/confluence/attachments.pyupload_attachment_upload_attachment_directos.path.abspath(file_path)open(file_path, "rb")
  • src/mcp_atlassian/jira/attachments.pyupload_attachmentos.path.abspath(file_path)open(file_path, "rb")

os.path.abspath() only normalizes the path; the file is then opened on the server wherever it points and its bytes are sent to Atlassian as an attachment. There is no path a client can use to reference its own filesystem, and no option to upload raw content instead of a server-side path.

Client-reachable entry points that hit these sinks:

  • confluence_upload_attachmentConfluenceFetcher.upload_attachment. The file_path field is documented as "absolute … or relative to the current working directory."
  • confluence_upload_attachments → loops over the same sink.
  • jira_update_issue — its attachments parameter (JSON array or comma-separated list of paths) flows through IssuesMixin.update_issueself.upload_attachments → the Jira sink. There is no standalone jira_upload_attachment tool; jira_update_issue is the only Jira entry point.

PoC

Local reproduction

Extract traversal_upload_attachment_file_read.zip:

# Fill credentials in docker-compose.yml; set CONFLUENCE_PAGE_ID / JIRA_ISSUE_KEY in poc.sh
docker compose up -d        # mcp-atlassian, streamable-http, 0.0.0.0, READ_ONLY_MODE=false
./poc.sh                    # exits 0 on success

Requires Docker, curl, jq, and an Atlassian Cloud site with a Confluence page and a Jira issue (free tier works). The script runs the steps below and confirms the /etc/passwd round-trip. Planted attachments are intentionally left in place so they can be confirmed in the Atlassian UI.

All calls are issued against the HTTP transport with READ_ONLY_MODE=false (the default).

Step 1 — read /etc/passwd from the server via Confluence upload:

req → tools/call confluence_upload_attachment
      { "content_id": "<PAGE_ID>", "file_path": "/etc/passwd" }
← { "message": "Attachment uploaded successfully",
    "attachment": { "success": true, "filename": "passwd", "id": "att<...>" } }

Step 2 — retrieve the exfiltrated content back through MCP (round-trip proves a real read):

req → tools/call confluence_download_attachment { "attachment_id": "att<...>" }
← base64 resource decoding to:
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    ...

Step 3 — same primitive via the Jira entry point (second sink):

req → tools/call jira_update_issue
      { "issue_key": "<ISSUE_KEY>", "fields": "{}", "attachments": "/etc/passwd" }
← { "attachment_results": { ... "success": true ... } }

Step 4 — credential disclosure via /proc/self/environ:

req → tools/call confluence_upload_attachment
      { "content_id": "<PAGE_ID>", "file_path": "/proc/self/environ" }
← success; the resulting "environ" attachment contains the server's env,
  including JIRA_API_TOKEN / CONFLUENCE_API_TOKEN.

(os.path.getsize reports 0 for procfs, but the upload transmits the real content — the attachment shows ~1 kB in the Confluence UI.)

Step 5 — relative traversal accepted (no containment):

req → tools/call confluence_upload_attachment
      { "content_id": "<PAGE_ID>", "file_path": "../../../../etc/hostname" }
← success — relative paths are resolved and read on the server just like absolute ones.

The uploaded files (passwd, environ, hostname) appear as real attachments on the Confluence page, confirming the server read them off its own host.

Impact

Any client that can invoke the upload tools can exfiltrate arbitrary files readable by the server process (e.g. /etc/passwd, /proc/self/environ, application config, key material). Uploading /proc/self/environ discloses the server's environment variables — including the configured JIRA_API_TOKEN / CONFLUENCE_API_TOKEN — i.e. the server process's own Atlassian credentials and any other secrets on the host. In a multi-tenant HTTP deployment this also breaks tenant isolation: one client reads files belonging to the deployment or to other tenants.

The security impact concentrates in remote / HTTP-transport deployments (sse, streamable-http, default bind 0.0.0.0), where the file_path resolves on the server host rather than the client's. In a single-user stdio deployment the path refers to the user's own machine, so there is no boundary crossing.

Credit

Discovered by Francisco Rosales of Manifold Security

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mcp-atlassian"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-10T19:34:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA client that can invoke MCP tools can read **arbitrary files from the server host** and exfiltrate them as Atlassian attachments. The attachment-upload tools take a client-supplied `file_path` and `open()` it on the **server\u0027s** filesystem.\n\nThe upload tools are meant to attach a file from the **caller\u0027s** environment \u2014 the client supplies a path expecting it to refer to its own machine. Over a remote transport (HTTP/SSE) that path is instead resolved and read on the server, and the tool offers no way for the client to send file *content* in place of a server-side path. A remote client therefore reads the server\u0027s files \u2014 and, in multi-tenant deployments, other tenants\u0027 data \u2014 instead of its own. (In a local `stdio` deployment the server runs as the user, so the path refers to the user\u0027s own files and reading any path is the intended behavior; the exposure is specific to remote/multi-user transports.)\n\n### Details\n\nThe upload tools read a client-supplied path directly on the server:\n\n- `src/mcp_atlassian/confluence/attachments.py` \u2014 `upload_attachment` \u2192 `_upload_attachment_direct` \u2192 `os.path.abspath(file_path)` \u2192 `open(file_path, \"rb\")`\n- `src/mcp_atlassian/jira/attachments.py` \u2014 `upload_attachment` \u2192 `os.path.abspath(file_path)` \u2192 `open(file_path, \"rb\")`\n\n`os.path.abspath()` only normalizes the path; the file is then opened on the server wherever it points and its bytes are sent to Atlassian as an attachment. There is no path a client can use to reference its own filesystem, and no option to upload raw content instead of a server-side path.\n\nClient-reachable entry points that hit these sinks:\n\n- `confluence_upload_attachment` \u2192 `ConfluenceFetcher.upload_attachment`. The `file_path` field is documented as \"absolute \u2026 or relative to the current working directory.\"\n- `confluence_upload_attachments` \u2192 loops over the same sink.\n- `jira_update_issue` \u2014 its `attachments` parameter (JSON array or comma-separated list of paths) flows through `IssuesMixin.update_issue` \u2192 `self.upload_attachments` \u2192 the Jira sink. There is no standalone `jira_upload_attachment` tool; `jira_update_issue` is the only Jira entry point.\n\n### PoC\n\n**Local reproduction**\n\nExtract `traversal_upload_attachment_file_read.zip`:\n```\n# Fill credentials in docker-compose.yml; set CONFLUENCE_PAGE_ID / JIRA_ISSUE_KEY in poc.sh\ndocker compose up -d        # mcp-atlassian, streamable-http, 0.0.0.0, READ_ONLY_MODE=false\n./poc.sh                    # exits 0 on success\n```\n\n\u003e Requires Docker, curl, jq, and an Atlassian Cloud site with a Confluence page and a Jira issue (free tier works). The script runs the steps below and confirms the `/etc/passwd` round-trip. Planted attachments are intentionally left in place so they can be confirmed in the Atlassian UI.\n\nAll calls are issued against the HTTP transport with `READ_ONLY_MODE=false` (the default).\n\nStep 1 \u2014 read `/etc/passwd` from the server via Confluence upload:\n```\nreq \u2192 tools/call confluence_upload_attachment\n      { \"content_id\": \"\u003cPAGE_ID\u003e\", \"file_path\": \"/etc/passwd\" }\n\u2190 { \"message\": \"Attachment uploaded successfully\",\n    \"attachment\": { \"success\": true, \"filename\": \"passwd\", \"id\": \"att\u003c...\u003e\" } }\n```\n\nStep 2 \u2014 retrieve the exfiltrated content back through MCP (round-trip proves a real read):\n```\nreq \u2192 tools/call confluence_download_attachment { \"attachment_id\": \"att\u003c...\u003e\" }\n\u2190 base64 resource decoding to:\n    root:x:0:0:root:/root:/bin/bash\n    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n    ...\n```\n\nStep 3 \u2014 same primitive via the Jira entry point (second sink):\n```\nreq \u2192 tools/call jira_update_issue\n      { \"issue_key\": \"\u003cISSUE_KEY\u003e\", \"fields\": \"{}\", \"attachments\": \"/etc/passwd\" }\n\u2190 { \"attachment_results\": { ... \"success\": true ... } }\n```\n\nStep 4 \u2014 credential disclosure via `/proc/self/environ`:\n```\nreq \u2192 tools/call confluence_upload_attachment\n      { \"content_id\": \"\u003cPAGE_ID\u003e\", \"file_path\": \"/proc/self/environ\" }\n\u2190 success; the resulting \"environ\" attachment contains the server\u0027s env,\n  including JIRA_API_TOKEN / CONFLUENCE_API_TOKEN.\n```\n(`os.path.getsize` reports 0 for procfs, but the upload transmits the real content \u2014 the attachment shows ~1 kB in the Confluence UI.)\n\nStep 5 \u2014 relative traversal accepted (no containment):\n```\nreq \u2192 tools/call confluence_upload_attachment\n      { \"content_id\": \"\u003cPAGE_ID\u003e\", \"file_path\": \"../../../../etc/hostname\" }\n\u2190 success \u2014 relative paths are resolved and read on the server just like absolute ones.\n```\n\nThe uploaded files (`passwd`, `environ`, `hostname`) appear as real attachments on the Confluence page, confirming the server read them off its own host.\n\n### Impact\n\nAny client that can invoke the upload tools can exfiltrate arbitrary files readable by the server process (e.g. `/etc/passwd`, `/proc/self/environ`, application config, key material). Uploading `/proc/self/environ` discloses the server\u0027s environment variables \u2014 including the configured `JIRA_API_TOKEN` / `CONFLUENCE_API_TOKEN` \u2014 i.e. the server process\u0027s own Atlassian credentials and any other secrets on the host. In a multi-tenant HTTP deployment this also breaks tenant isolation: one client reads files belonging to the deployment or to other tenants.\n\nThe security impact concentrates in remote / HTTP-transport deployments (`sse`, `streamable-http`, default bind `0.0.0.0`), where the `file_path` resolves on the server host rather than the client\u0027s. In a single-user `stdio` deployment the path refers to the user\u0027s own machine, so there is no boundary crossing.\n\n### Credit\n\nDiscovered by [Francisco Rosales](https://www.linkedin.com/in/francisco-rosales-celis/) of [Manifold Security](https://manifold.security/)",
  "id": "GHSA-wm45-qh3g-v83f",
  "modified": "2026-07-10T19:34:30Z",
  "published": "2026-07-10T19:34:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-wm45-qh3g-v83f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sooperset/mcp-atlassian"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mcp-atlassian: Arbitrary server-side file read via attachment upload"
}

GHSA-WMCV-PJ3G-38RP

Vulnerability from github – Published: 2025-02-12 21:31 – Updated: 2025-10-22 00:33
VLAI
Details

An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.

You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

This issue does not affect Cloud NGFW or Prisma Access software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T21:15:16Z",
    "severity": "HIGH"
  },
  "details": "An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the \u201cnobody\u201d user.\n\nYou can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .\n\n\n\nThis issue does not affect Cloud NGFW or Prisma Access software.",
  "id": "GHSA-wmcv-pj3g-38rp",
  "modified": "2025-10-22T00:33:12Z",
  "published": "2025-02-12T21:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0111"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2025-0111"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0111"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.

Mitigation
Architecture and Design Operation
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation
Implementation

Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).

Mitigation
Installation Operation

Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.

Mitigation
Operation Implementation

If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Mitigation
Testing

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

CAPEC-13: Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

CAPEC-267: Leverage Alternate Encoding

An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

CAPEC-72: URL Encoding

This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-78: Using Escaped Slashes in Alternate Encoding

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

CAPEC-79: Using Slashes in Alternate Encoding

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.

CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic

This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.