CVE-2019-15716

Published: Aug 28, 2019Modified: Nov 21, 2024

5.5

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults.

Affected (1)

Products: Wtfutil: Wtf

Wtfutil

1 product

Wtf

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wtfutil Wtf	Before 0.19.0

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (6)

https://github.com/wtfutil/wtf/blob/67658e172c9470e93e4122d6e2c90d01db12b0ac/cfg/config_files.go#L71-L72

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/wtfutil/wtf/compare/v0.18.0...v0.19.0

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/wtfutil/wtf/issues/517

Source: cve@mitre.org

Third Party Advisory

https://github.com/wtfutil/wtf/blob/67658e172c9470e93e4122d6e2c90d01db12b0ac/cfg/config_files.go#L71-L72

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/wtfutil/wtf/compare/v0.18.0...v0.19.0

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/wtfutil/wtf/issues/517

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.