CVE-2025-24786— WhoDB 安全漏洞
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2025-24786 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Path traversal opening Sqlite3 database in WhoDB
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine that the application is running on. Affected versions of WhoDB allow users to connect to Sqlite3 databases. By default, the databases must be present in `/db/` (or alternatively `./tmp/` if development mode is enabled). If no databases are present in the default directory, the UI indicates that the user is unable to open any databases. The database file is an user-controlled value. This value is used in `.Join()` with the default directory, in order to get the full path of the database file to open. No checks are performed whether the database file that is eventually opened actually resides in the default directory `/db`. This allows an attacker to use path traversal (`../../`) in order to open any Sqlite3 database present on the system. This issue has been addressed in version 0.45.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
路径遍历:’…/…//’
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
WhoDB 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
WhoDB是clidey开源的一个数据浏览器。 WhoDB 0.45.0及之前版本存在安全漏洞,该漏洞源于没有防止路径遍历的措施,允许未经身份验证的攻击者打开运行主机上的任何Sqlite3数据库。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
二、漏洞 CVE-2025-24786 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24786.yaml | POC详情 |
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2025-24786 的情报信息
Please 登录 to view more intelligence information
- Path traversal opening Sqlite3 database · Advisory · clidey/whodb · GitHubx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2025-24786
IV. Related Vulnerabilities
V. Comments for CVE-2025-24786
暂无评论