CVE-2023-34460
MEDIUM4.8EPSS 0.09%Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles
Description
### Impact The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS. Previously dotfiles (eg. `$HOME/.ssh/`) were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed. Only Tauri applications using wildcard scopes in the `fs` endpoint are affected. Only macOS and Linux systems are affected. ### Patches The regression has been patched on `v1.4.1`. ### Workarounds There are no known workarounds at this time, users should update to `v1.4.1` immediately. ### References See the [original advisory](https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5) for more information. ### For more Information If you have any questions or comments about this advisory: Open an issue in tauri Email us at [[email protected]](mailto:[email protected])
Affected packages (1)
- crates.io/tauri>= 1.4.0, < 1.4.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-34460
- PATCHhttps://github.com/tauri-apps/tauri
- WEBhttps://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564
- WEBhttps://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347
- WEBhttps://github.com/tauri-apps/tauri/pull/7227
- WEBhttps://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
- WEBhttps://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm