x/vulndb: potential Go vuln in github.com/wtfutil/wtf: CVE-2019-15716

[tatianab]

CVE-2019-15716 references github.com/wtfutil/wtf, which may be a Go module.

Description:
WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-15716
• web: wtfutil/wtf@v0.18.0...v0.19.0
• report: Security: open call for thoughts on securing WTF's config file wtfutil/wtf#517
• web: https://github.com/wtfutil/wtf/blob/67658e172c9470e93e4122d6e2c90d01db12b0ac/cfg/config_files.go#L71-L72
• Imported by: https://pkg.go.dev/github.com/wtfutil/wtf?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/wtfutil/wtf
      vulnerable_at: 0.43.0
      packages:
        - package: n/a
cves:
    - CVE-2019-15716
references:
    - web: https://github.com/wtfutil/wtf/compare/v0.18.0...v0.19.0
    - report: https://github.com/wtfutil/wtf/issues/517
    - web: https://github.com/wtfutil/wtf/blob/67658e172c9470e93e4122d6e2c90d01db12b0ac/cfg/config_files.go#L71-L72

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports