SCA: security update for github.com/clidey/whodb/core (GHSA-c7w4-9wv8-7x7c)

high Tenable Cloud Security Plugin ID 420842

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- WhoDB is an open source database management tool. In affected versions the application is vulnerable to
parameter injection in database connection strings, which allows an attacker to read local files on the
machine the application is running on. The application uses string concatenation to build database
connection URIs which are then passed to corresponding libraries responsible for setting up the database
connections. This string concatenation is done unsafely and without escaping or encoding the user input.
This allows an user, in many cases, to inject arbitrary parameters into the URI string. These parameters
can be potentially dangerous depending on the libraries used. One of these dangerous parameters is
`allowAllFiles` in the library `github.com/go-sql-driver/mysql`. Should this be set to `true`, the library
enables running the `LOAD DATA LOCAL INFILE` query on any file on the host machine (in this case, the
machine that WhoDB is running on). By injecting `&allowAllFiles=true` into the connection URI and
connecting to any MySQL server (such as an attacker-controlled one), the attacker is able to read local
files. This issue has been addressed in version 0.45.0 and all users are advised to upgrade. There are no
known workarounds for this vulnerability. (CVE-2025-24787)

See Also

https://github.com/advisories/GHSA-c7w4-9wv8-7x7c

Plugin Details

Severity: High

ID: 420842

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 2/7/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2025-24787

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2025

Vulnerability Publication Date: 2/6/2025

Reference Information

CVE: CVE-2025-24787

cwe: CWE-943