Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yOG04LTlqN3YteDQ5Oc4AAu1w
Tauri's readDir Endpoint Scope can be Bypassed With Symbolic Links
Impact
Due to missing canonicalization when readDir
is called recursively, it was possible to display directory listings outside of the defined fs
scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs
scope. No arbitrary file content could be leaked.
Patches
The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope
.
Workarounds
Disable the readDir
endpoint in the allowlist
inside the tauri.conf.json
.
For more information
This issue was initially reported by martin-ocasek in #4882.
If you have any questions or comments about this advisory:
- Open an issue in tauri
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yOG04LTlqN3YteDQ5Oc4AAu1w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 5.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Identifiers: GHSA-28m8-9j7v-x499, CVE-2022-39215
References:
- https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499
- https://nvd.nist.gov/vuln/detail/CVE-2022-39215
- https://github.com/tauri-apps/tauri/issues/4882
- https://github.com/tauri-apps/tauri/pull/5123
- https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678
- https://github.com/tauri-apps/tauri/commit/bb178829086e80916f9be190f02d83bc25802799
- https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6
- https://rustsec.org/advisories/RUSTSEC-2022-0088.html
- https://github.com/advisories/GHSA-28m8-9j7v-x499
Blast Radius: 21.1
Affected Packages
cargo:tauri
Dependent packages: 70Dependent repositories: 4,409
Downloads: 1,860,480 total
Affected Version Ranges: < 1.0.6
Fixed in: 1.0.6
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.11.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5
All unaffected versions: 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2