Lucene search

GoogleOSV:RUSTSEC-2022-0088

HistoryAug 07, 2022 - 12:00 p.m.

`tauri`'s `readDir` endpoint allows possible enumeration outside of filesystem scope

2022-08-0712:00:00

Google

osv.dev

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

42.3%

JSON

It is possible for readDir to incorrectly enumerate files from a symlinked directory if called recursively when specifying an empty string for the dir parameter as outlined in this issue.

This is corrected in this PR by checking if a directory is a symlink before reading from it.

CPENameOperatorVersion
taurilt1.0.6

CPE	Name	Operator	Version
	tauri	lt	1.0.6

References

crates.io/crates/tauri

github.com/tauri-apps/tauri/issues/4882

rustsec.org/advisories/RUSTSEC-2022-0088.html

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

42.3%

JSON

Related for OSV:RUSTSEC-2022-0088