CVE-2019-15716

Опубликовано: 28 авг. 2019

Источник: nvd

CVSS3: 5.5

CVSS2: 2.1

EPSS Низкий

Описание

WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults.

Ссылки

https://github.com/wtfutil/wtf/blob/67658e172c9470e93e4122d6e2c90d01db12b0ac/cfg/config_files.go#L71-L72
Exploit
Third Party Advisory
https://github.com/wtfutil/wtf/compare/v0.18.0...v0.19.0
Patch
Third Party Advisory
https://github.com/wtfutil/wtf/issues/517
Third Party Advisory
https://github.com/wtfutil/wtf/blob/67658e172c9470e93e4122d6e2c90d01db12b0ac/cfg/config_files.go#L71-L72
Exploit
Third Party Advisory
https://github.com/wtfutil/wtf/compare/v0.18.0...v0.19.0
Patch
Third Party Advisory
https://github.com/wtfutil/wtf/issues/517
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wtfutil:wtf:*:*:*:*:*:*:*:*

Версия до 0.19.0 (исключая)

EPSS

Процентиль: 14%

0.00046

Низкий

5.5 Medium

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-276

Связанные уязвимости

GHSA-3j2c-999x-65vh