CVE-2023-34460 – tauri

Package

Manager: cargo
Name: tauri
Vulnerable Version: =1.4.0 || >=1.4.0 <1.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00061 pctl0.19148

Details

Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles ### Impact The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS. Previously dotfiles (eg. `$HOME/.ssh/`) were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed. Only Tauri applications using wildcard scopes in the `fs` endpoint are affected. Only macOS and Linux systems are affected. ### Patches The regression has been patched on `v1.4.1`. ### Workarounds There are no known workarounds at this time, users should update to `v1.4.1` immediately. ### References See the [original advisory](https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5) for more information. ### For more Information If you have any questions or comments about this advisory: Open an issue in tauri Email us at [security@tauri.app](mailto:security@tauri.app)

Metadata

Created: 2023-06-21T18:35:21Z
Modified: 2023-06-21T18:35:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-wmff-grcw-jcfm/GHSA-wmff-grcw-jcfm.json
CWE IDs: ["CWE-285"]
Alternative ID: GHSA-wmff-grcw-jcfm
Finding: F039
Auto approve: 1