GitHub Advisory DatabaseGHSA-28M8-9J7V-X499Tauri's readDir Endpoint Scope can be Bypassed With Symbolic Links
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS
Percentile
42.2%
Impact
Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.
Patches
The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope.
Workarounds
Disable the readDir endpoint in the allowlist inside the tauri.conf.json.
For more information
This issue was initially reported by martin-ocasek in #4882.
If you have any questions or comments about this advisory:
- Open an issue in tauri
- Email us at [email protected]
Affected configurations
References
github.com/advisories/GHSA-28m8-9j7v-x499
github.com/tauri-apps/tauri/commit/bb178829086e80916f9be190f02d83bc25802799
github.com/tauri-apps/tauri/issues/4882
github.com/tauri-apps/tauri/pull/5123
github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678
github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6
github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499
nvd.nist.gov/vuln/detail/CVE-2022-39215
rustsec.org/advisories/RUSTSEC-2022-0088.html
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS
Percentile
42.2%