Blinko Command Injection Vulnerability in MCP Server Creation Function
Vulnerability
A command injection vulnerability has been identified in Blinko versions prior to 1.8.4. The issue arises in the Model Context Protocol (MCP) server creation function, where users with superadmin privileges can specify arbitrary commands and arguments. These user-provided commands are executed when testing the connection, potentially leading to remote code execution. This vulnerability can be exploited by bypassing certain conditions, allowing for full remote code execution as the application user and compromising the entire server.
Impact
Exploitation of this vulnerability allows for full remote code execution as the application user, leading to complete server compromise.
Reproduction
To reproduce this vulnerability, create an MCP server using the 'stdio' type and provide a command that is not validated by the application. Once the server is created, the specified command will be executed when testing the connection.
Remediation
Users are advised to update to Blinko version 1.8.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.