Skip to content

v1.6.3 β€” security release (privilege-scoping advisory)

Choose a tag to compare

@mwtcmi mwtcmi released this 13 May 23:39

v1.6.3 β€” security release + post-v1.6.1 bug-fix sweep

219 tools (unchanged from v1.6.2). All open issues in the post-v1.6.1 review queue closed.

Security

GHSA-q4c4-5cr4-8q47 β€” High (CVSS 7.1) β€” privilege-scoping pattern. Eight tools were inheriting PERM_READ despite surfacing admin-grade data or performing admin-grade operations. Read-tier callers could pull AMI manager credentials, outbound dial PINs, full dialplan, root SSH connection commands, backup paths, CDR/PII, execute arbitrary saved GraphQL (including mutations), and recover SIP trunk passwords from raw AMI endpoint dumps.

Fixed:

  • 7 tools bumped to PERM_ADMIN (#13) β€” fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query
  • fm_diagnose_trunk bumped to PERM_ADMIN AND adds line-level redaction of credential-bearing fields (password, md5_cred, oauth_secret, refresh_token, dtls_private_key, plus pattern catch-alls) from the AMI endpoint dump (#25). Defense in depth β€” admin-tier callers also shouldn't have plaintext credentials persisted in audit rows indefinitely.

Real-world exposure at disclosure time was nil (no PERM_READ tokens in active use on any known deployment). Fix landed proactively.

Bug fixes

  • #15 β€” fm_did_destination_map / fm_list_all_dids rendered every queue as the unnamed Queue NNN label. AbstractTool::describeDestination() queried queues_config with WHERE keyword='descr', which is the schema of queues_details. Now queries queues_config.descr directly.
  • #11 β€” every conference chat command (who's in conference X, kick, mute/unmute, lock/unlock) returned "Parameter 'room' is required" and never reached its tool. ChatParser built params with id / state; tools expected room / action. Same fix also corrected unmute silently muting and unlock silently locking.
  • #12 β€” Confbridge tools accepted any string for room, channel, action. ConfbridgeListLive's room flowed into a line-framed AMI Command β€” a newline could disturb parsing. Now allowlist-validated across all 5 tools.
  • #21 β€” three write tools accepted free-text inputs that should have been allowlisted: ToggleTimecondition.state, UpdateSipNat.external_ip + local_network, SetCallForward.type. Now validated (IP-or-FQDN for external IP, CIDR-list for local network, allowlists for the rest).
  • #1 (closed via this release) β€” README now has an explicit "Other MCP clients" subsection naming Claude Desktop, Claude Code, Cursor, Windsurf as tested with the same SSH-transport pattern, plus a pointer to INTEGRATION.md for non-MCP integrations.

Web-console behavior change

Non-admin web-console users (sessions without admin in oc_permissions) will be denied access to four chat-exposed tools: fm_audit_search, fm_get_mcp_config, fm_backup_status, fm_whos_calling. The chat console's live audit panel is unaffected β€” it uses a separate handleAuditFeed() endpoint. Sites that need read-tier users to access any of these can grant admin via set permission <user> to admin.

Install

URL=$(curl -s https://api.github.com/repos/mwtcmi/frogman/releases/latest | grep browser_download_url | grep '\.tgz' | cut -d'"' -f4)
fwconsole ma downloadinstall "$URL"
fwconsole reload