Lucene search

Veracode Vulnerability DatabaseVERACODE:43966

HistoryOct 24, 2023 - 11:27 a.m.

Information Disclosure

2023-10-2411:27:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

@tauri-apps/cli

information disclosure

vulnerability

misconfiguration

private key

updater key password

documentation

environment variables

tauri application

8.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

@tauri-apps/cli is vulnerable to Information Disclosure. This vulnerability is due to a commonly used misconfiguration which leads to the leakage of the private key and updater key password. If envPrefix: ['VITE_', 'TAURI_'], was pasted from the documentation into vite.config.ts, the TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD are exposed into the released Tauri application. Note that the vulnerability does not exist in the code itself, but instead the CVE was issued for the unsafe documentation

CPENameOperatorVersion
@tauri-apps/clile2.0.0-alpha.15
@tauri-apps/clile2.0.0-alpha.15

CPE	Name	Operator	Version
	@tauri-apps/cli	le	2.0.0-alpha.15
	@tauri-apps/cli	le	2.0.0-alpha.15

References

github.com/advisories/GHSA-2rcp-jvr4-r259

github.com/tauri-apps/tauri/commit/8b166e9bf82e69ddb3200a3a825614980bd8d433

github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259

tauri.app/v1/guides/getting-started/setup/vite/

8.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:43966