Insecure default config access in WriteFreely · CVE-2025-24337 · GitHub Advisory Database · GitHub

Insecure default config access in WriteFreely

High severity GitHub Reviewed Published Jan 20, 2025 to the GitHub Advisory Database • Updated Jan 21, 2025

Package

github.com/writefreely/writefreely (Go)

Affected versions

<= 0.15.1

Patched versions

None

Description

WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.

References

Published by the National Vulnerability Database

Jan 20, 2025

Published to the GitHub Advisory Database Jan 20, 2025

Reviewed Jan 21, 2025

Last updated Jan 21, 2025

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H