Snyk Security Database

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Authorization through the device.token.rotate process. An attacker can gain unauthorized administrative access and potentially execute arbitrary code on connected nodes by minting tokens with elevated privileges beyond their current scope.

mcp-atlassian is a The Model Context Protocol (MCP) Atlassian integration is an open-source implementation that bridges Atlassian products (Jira and Confluence) with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with Atlassian tools while maintaining data privacy and security. Key features include:

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HTTP endpoint. An attacker can cause the server to make arbitrary outbound HTTP requests to attacker-controlled URLs, potentially exposing sensitive internal resources or credentials, by sending specially crafted requests containing X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url headers without an Authorization header.

Note:

This is only exploitable if the server is running with --transport streamable-http or --transport sse, the request contains both the relevant URL and personal token headers, and no Authorization header is present.

Affected versions of this package are vulnerable to Directory Traversal in the resolveURI() function while performing directory validation when the configuration value livy.file.local-dir-whitelist is set to a non-default value. An attacker can gain unauthorized access to arbitrary directories by bypassing directory restrictions.