Jaaz Remote Code Execution Vulnerability in MCP STDIO Command Handling

A remote code execution vulnerability has been identified in Jaaz version 1.0.30. The issue arises in the application's handling of MCP STDIO command execution. A remote attacker can send crafted network requests to the Jaaz application, which is accessible over the network and has MCP enabled. This exploitation allows the execution of commands controlled by the attacker on the server. Successful exploitation leads to arbitrary command execution within the context of the Jaaz service, potentially allowing full compromise of the affected system.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running under the privileges of the Jaaz service. This could lead to a complete compromise of the affected system.

Reproduction

To reproduce this vulnerability, send a network request to a Jaaz application instance with MCP enabled. The request must include a crafted payload that exploits the MCP STDIO command execution feature. This can be done by modifying the MCP server configuration to include arbitrary commands, which will then be executed on the server.