Note:
This project will be discontinued after December 13, 2021. [more]
2019-08-28
WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults.
| Products | Wtf |
| Type | Permission Issues (CWE-275) |
| First patch | - None (likely due to unavailable code) |
| Links |
• https://github.com/wtfutil/wtf/issues/517
• https://github.com/wtfutil/wtf/blob/67658e172c9470e93e4122d6e2c90d01db12b0ac/cfg/config_files.go#L71-L72 • https://github.com/wtfutil/wtf/compare/v0.18.0...v0.19.0 |