9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
53.0%
The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.
Previously dotfiles (eg. $HOME/.ssh/
) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*
), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.
Only Tauri applications using wildcard scopes in the fs
endpoint are affected.
Only macOS and Linux systems are affected.
The regression has been patched on v1.4.1
.
There are no known workarounds at this time, users should update to v1.4.1
immediately.
See the original advisory for more information.
If you have any questions or comments about this advisory:
Open an issue in tauri
Email us at [email protected]
github.com/advisories/GHSA-wmff-grcw-jcfm
github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564
github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347
github.com/tauri-apps/tauri/pull/7227
github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm
nvd.nist.gov/vuln/detail/CVE-2023-34460