Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13bWZmLWdyY3ctamNmbc4AAz-M

Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles

Impact

The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.

Previously dotfiles (eg. $HOME/.ssh/) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.

Only Tauri applications using wildcard scopes in the fs endpoint are affected.
Only macOS and Linux systems are affected.

Patches

The regression has been patched on v1.4.1.

Workarounds

There are no known workarounds at this time, users should update to v1.4.1 immediately.

References

See the original advisory for more information.

For more Information

If you have any questions or comments about this advisory:

Open an issue in tauri
Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-wmff-grcw-jcfm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13bWZmLWdyY3ctamNmbc4AAz-M
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 6 months ago

CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Identifiers: GHSA-wmff-grcw-jcfm, CVE-2023-34460
References:

• https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
• https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm
• https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347
• https://github.com/tauri-apps/tauri/pull/7227
• https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564
• https://nvd.nist.gov/vuln/detail/CVE-2023-34460
• https://github.com/advisories/GHSA-wmff-grcw-jcfm

Repository: https://github.com/tauri-apps/tauri
Blast Radius: 17.5

Affected Packages