Lucene search

GitHub_MCVELIST:CVE-2023-34460

HistoryJun 23, 2023 - 7:09 p.m.

CVE-2023-34460 Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles

2023-06-2319:09:54

CWE-285

GitHub_M

www.cve.org

tauri framework

binary building

unix dotfiles

security regression

filesystem scope_check

patched vulnerability

4.8 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.0%

JSON

Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented. Only Tauri applications using wildcard scopes in the fs endpoint are affected. The regression has been patched on version 1.4.1.

CNA Affected

[
  {
    "vendor": "tauri-apps",
    "product": "tauri",
    "versions": [
      {
        "version": "= 1.4.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564

github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347

github.com/tauri-apps/tauri/pull/7227

github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm

4.8 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.0%

JSON

Related for CVELIST:CVE-2023-34460