GHSA-28m8-9j7v-x499

Suggest an improvement
Source
https://github.com/advisories/GHSA-28m8-9j7v-x499
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-28m8-9j7v-x499/GHSA-28m8-9j7v-x499.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-28m8-9j7v-x499
Aliases
Published
2022-09-16T19:28:49Z
Modified
2023-11-08T04:10:15.123159Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Tauri's readDir Endpoint Scope can be Bypassed With Symbolic Links
Details

Impact

Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.

Patches

The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined scope.

Workarounds

Disable the readDir endpoint in the allowlist inside the tauri.conf.json.

For more information

This issue was initially reported by martin-ocasek in #4882.

If you have any questions or comments about this advisory: * Open an issue in tauri * Email us at security@tauri.app

Database specific
{
    "nvd_published_at": "2022-09-15T22:15:00Z",
    "github_reviewed_at": "2022-09-16T19:28:49Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-59"
    ]
}
References

Affected packages

crates.io / tauri

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.6