Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles

CVE-2023-34460 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Impact

The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.

Previously dotfiles (eg. $HOME/.ssh/) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.

Only Tauri applications using wildcard scopes in the fs endpoint are affected.
Only macOS and Linux systems are affected.

Patches

The regression has been patched on v1.4.1.

Workarounds

There are no known workarounds at this time, users should update to v1.4.1 immediately.

References

See the original advisory for more information.

For more Information

If you have any questions or comments about this advisory:

Open an issue in tauri
Email us at [email protected]

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2023-06-21 18:35:21 UTC
Updated
2023-11-07 05:02:26 UTC
GitHub reviewed
2023-06-21 18:35:21 UTC
NVD published
2023-06-23

EPSS Score

Score Percentile
0.08% 24.11%

CVSS Scores

Base score Version Severity Vector
4.8 3.1
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-wmff-grcw-jcfm ↗
CVE CVE-2023-34460 ↗

CWEs

CWE id Name
CWE-285 Improper Authorization

Credits

  • tillmann-crabnebula (reporter)
  • chip-crabnebula (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust tauri = 1.4.0 1.4.1

References

cvelogic Threat Intelligence