GitHub Advisory DatabaseGHSA-WMFF-GRCW-JCFMTauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
53.0%
Impact
The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.
Previously dotfiles (eg. $HOME/.ssh/) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.
Only Tauri applications using wildcard scopes in the fs endpoint are affected.
Only macOS and Linux systems are affected.
Patches
The regression has been patched on v1.4.1.
Workarounds
There are no known workarounds at this time, users should update to v1.4.1 immediately.
References
See the original advisory for more information.
For more Information
If you have any questions or comments about this advisory:
Open an issue in tauri
Email us at [email protected]
Affected configurations
References
github.com/advisories/GHSA-wmff-grcw-jcfm
github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564
github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347
github.com/tauri-apps/tauri/pull/7227
github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm
nvd.nist.gov/vuln/detail/CVE-2023-34460
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
53.0%