CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS
Percentile
42.2%
Due to missing canonicalization when readDir
is called recursively, it was possible to display directory listings outside of the defined fs
scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs
scope. No arbitrary file content could be leaked.
The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope
.
Disable the readDir
endpoint in the allowlist
inside the tauri.conf.json
.
This issue was initially reported by martin-ocasek in #4882.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-28m8-9j7v-x499
github.com/tauri-apps/tauri/commit/bb178829086e80916f9be190f02d83bc25802799
github.com/tauri-apps/tauri/issues/4882
github.com/tauri-apps/tauri/pull/5123
github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678
github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6
github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499
nvd.nist.gov/vuln/detail/CVE-2022-39215
rustsec.org/advisories/RUSTSEC-2022-0088.html