Nnsee

**Name of the Vulnerable Software and Affected Versions** WhoDB versions prior to 0.45.0 **Description** The issue allows an unauthenticated attacker to open any Sqlite3 database present on the host machine that the application is running on, due to the lack of path traversal prevention. The database file is a user-controlled value used in `.Join()` with the default directory to get the full path of the database file to open. An attacker can use path traversal (`../../`) to open any Sqlite3 database present on the system. **Recommendations** For WhoDB versions prior to 0.45.0, update to version 0.45.0 to patch this issue. As a temporary workaround, consider restricting access to the database files to minimize the risk of exploitation. Avoid using user-controlled input for the database file path until the issue is resolved. Before attempting to open the database, resolve and normalize the path to the database and check whether it is in the default directory. If not, present the user with an error.

**Name of the Vulnerable Software and Affected Versions** WhoDB versions prior to 0.45.0 **Description** The application is vulnerable to parameter injection in database connection strings, allowing an attacker to read local files on the machine the application is running on. This is due to the use of string concatenation to build database connection URIs without escaping or encoding user input, enabling users to inject arbitrary parameters into the URI string. One such parameter is `allowAllFiles` in the `github.com/go-sql-driver/mysql` library, which, if set to `true`, allows the execution of the `LOAD DATA LOCAL INFILE` query on any file on the host machine. By injecting `&allowAllFiles=true` into the connection URI and connecting to any MySQL server, an attacker can read local files. **Recommendations** For WhoDB versions prior to 0.45.0, upgrade to version 0.45.0 to address the issue. As a temporary workaround, consider restricting access to the `github.com/go-sql-driver/mysql` library or avoiding the use of the `allowAllFiles` parameter in the database connection string until the issue is resolved.