GHSA-wmff-grcw-jcfm

Source

https://github.com/advisories/GHSA-wmff-grcw-jcfm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-wmff-grcw-jcfm/GHSA-wmff-grcw-jcfm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wmff-grcw-jcfm

Aliases

CVE-2023-34460

Related

CVE-2023-34460

Published

2023-06-21T18:35:21Z

Modified

2023-11-08T04:12:47.368407Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles

Details

Impact

The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.

Previously dotfiles (eg. $HOME/.ssh/) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.

Only Tauri applications using wildcard scopes in the fs endpoint are affected. Only macOS and Linux systems are affected.

Patches

The regression has been patched on v1.4.1.

Workarounds

There are no known workarounds at this time, users should update to v1.4.1 immediately.

References

See the original advisory for more information.

For more Information

If you have any questions or comments about this advisory:

Open an issue in tauri Email us at security@tauri.app

Database specific

{
    "nvd_published_at": "2023-06-23T20:15:09Z",
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-21T18:35:21Z"
}

GHSA-wmff-grcw-jcfm

Impact

Patches

Workarounds

References

For more Information

Affected packages

crates.io / tauri

Package

Affected ranges

Affected versions

1.*