Lucene search

K
cve[email protected]CVE-2024-35222
HistoryMay 23, 2024 - 2:15 p.m.

CVE-2024-35222

2024-05-2314:15:09
CWE-284
web.nvd.nist.gov
54
tauri
unauthorized access
iframes
harmful commands
patches
v1.6.7
v2.0.0-beta.19

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2. Valid commands with potentially unwanted consequences (“delete project”, “transfer credits”, etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19.

Affected configurations

Vulners
Node
tauri-appstauriRange1.6.6
OR
tauri-appstauriRange2.0.0-beta.02.0.0-beta.19

CNA Affected

[
  {
    "vendor": "tauri-apps",
    "product": "tauri",
    "versions": [
      {
        "version": "<= 1.6.6",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0-beta.0, <= 2.0.0-beta.19",
        "status": "affected"
      }
    ]
  }
]

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

Related for CVE-2024-35222