Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN767
_____________________________________________________________________

DATE                : 05/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Doris-MCP-Server versions
                                   prior to 0.6.0.

=====================================================================
https://lists.apache.org/thread/6tswlphj0pqn9zf25594r3c1vzvfj40h
_____________________________________________________________________

CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control
results in bypassing a "read-only" mode for doris-mcp-server MCP
Server


Severity: moderate 

Affected versions:

- Apache Doris-MCP-Server 0.1.0 before 0.6.0

Description:

An attacker with a valid read-only account can bypass Doris MCP
Server’s read-only mode due to improper access control, allowing
modifications that should have been prevented by read-only
restrictions.


Impact:

Bypasses read-only mode; attackers with read-only access may
perform unauthorized modifications.


Recommended action for operators: Upgrade to version 0.6.0 as soon
as possible (this release contains the fix).


Credit:

Liran Tal, (liran@lirantal.com) (finder)


References:

https://doris.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-58337


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================