Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13bWZmLWdyY3ctamNmbc4AAz-M
Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles
Impact
The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.
Previously dotfiles (eg. $HOME/.ssh/
) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*
), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.
Only Tauri applications using wildcard scopes in the fs
endpoint are affected.
Only macOS and Linux systems are affected.
Patches
The regression has been patched on v1.4.1
.
Workarounds
There are no known workarounds at this time, users should update to v1.4.1
immediately.
References
See the original advisory for more information.
For more Information
If you have any questions or comments about this advisory:
Open an issue in tauri
Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13bWZmLWdyY3ctamNmbc4AAz-M
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-wmff-grcw-jcfm, CVE-2023-34460
References:
- https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
- https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm
- https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347
- https://github.com/tauri-apps/tauri/pull/7227
- https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564
- https://nvd.nist.gov/vuln/detail/CVE-2023-34460
- https://github.com/advisories/GHSA-wmff-grcw-jcfm
Blast Radius: 17.5
Affected Packages
cargo:tauri
Dependent packages: 70Dependent repositories: 4,409
Downloads: 1,870,414 total
Affected Version Ranges: = 1.4.0
Fixed in: 1.4.1
All affected versions: 1.4.0
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.11.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2