GHSA-28m8-9j7v-x499

Source

https://github.com/advisories/GHSA-28m8-9j7v-x499

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-28m8-9j7v-x499/GHSA-28m8-9j7v-x499.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-28m8-9j7v-x499

Aliases

Published

2022-09-16T19:28:49Z

Modified

2023-11-08T04:10:15.123159Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Tauri's readDir Endpoint Scope can be Bypassed With Symbolic Links

Details

Impact

Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.

Patches

The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined scope.

Workarounds

Disable the readDir endpoint in the allowlist inside the tauri.conf.json.

For more information

This issue was initially reported by martin-ocasek in #4882.

If you have any questions or comments about this advisory: * Open an issue in tauri * Email us at security@tauri.app

Database specific

{
    "nvd_published_at": "2022-09-15T22:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-59"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2022-09-16T19:28:49Z"
}

References

Affected packages

crates.io / tauri

Package

Name: tauri; View open source insights on deps.dev
Purl: pkg:cargo/tauri

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.6