漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call
Vulnerability Description
mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at `/mcp` requires only OAuth `read` scope for all requests, then dispatches `tools/call` directly to handlers that include mutating tools. A read-only OAuth client can call `store_memory` and `delete_memory` through MCP even though the corresponding REST endpoints require `write` scope. Version 10.65.3 patches the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Vulnerability Type
授权机制缺失
Vulnerability Title
doobidoo mcp-memory-service 授权问题漏洞
Vulnerability Description
doobidoo mcp-memory-service是doobidoo个人开发者开源的一个模型上下文协议服务。 doobidoo mcp-memory-service 10.65.3之前版本存在授权问题漏洞,该漏洞源于HTTP MCP JSON-RPC端点`/mcp`仅需要OAuth `read`范围,直接分发`tools/call`到包含变更工具的处理程序,可能导致只读OAuth客户端调用`store_memory`和`delete_memory`。
CVSS Information
N/A
Vulnerability Type
N/A