Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement
Vulnerability Description
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic. This issue has been patched in version 3.6.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
授权机制不正确
Vulnerability Title
MCP Server Kubernetes 安全漏洞
Vulnerability Description
MCP Server Kubernetes是Suyog Sonwalkar个人开发者的一个用于kubernetes管理的MCP服务器。 MCP Server Kubernetes 3.6.0之前版本存在安全漏洞,该漏洞源于访问控制在工具发现层执行但未在执行层执行,导致任何知道工具名称的客户端都可以直接调用它,访问控制形同虚设。
CVSS Information
N/A
Vulnerability Type
N/A