CVE-2022-41874

LOW2.3EPSS 0.19%

`tauri` filesystem scope partial bypass

Published: 11/8/2022Modified: 11/8/2023

Also known as:GHSA-q9wv-22m9-vhqhRUSTSEC-2022-0091

Description

A bug identified in [this](https://github.com/tauri-apps/tauri/issues/5234) issue allows a partial filesystem scope bypass if glob characters are used within file dialog or drag-and-drop functionalities. [This](https://github.com/tauri-apps/tauri/pull/5237) PR fixes the issue by escaping glob characters.

Affected packages (2)

crates.io/tauri>= 1.0.0, < 1.0.7, >= 1.1.0, < 1.1.2
crates.io/Tauri>= 1.0.0, < 1.0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.3	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-41874
PATCHhttps://crates.io/crates/tauri
PATCHhttps://github.com/tauri-apps/tauri
WEBhttps://github.com/tauri-apps/tauri/issues/5234
WEBhttps://github.com/tauri-apps/tauri/pull/5237
WEBhttps://github.com/tauri-apps/tauri/security/advisories/GHSA-q9wv-22m9-vhqh
WEBhttps://rustsec.org/advisories/RUSTSEC-2022-0091.html