CVE-2022-39215

Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/tauri-apps/tauri/issues/4882	Exploit Issue Tracking Third Party Advisory
https://github.com/tauri-apps/tauri/pull/5123	Patch Third Party Advisory
https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678	Patch Third Party Advisory
https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499	Mitigation Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tauri:tauri:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-09-15 22:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-39215

Mitre link : CVE-2022-39215

CVE.ORG link : CVE-2022-39215

JSON object : View

Products Affected

tauri

tauri

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2022-39215", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 3.9}]}, "published": "2022-09-15T22:15:11.527", "references": [{"url": "https://github.com/tauri-apps/tauri/issues/4882", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tauri-apps/tauri/pull/5123", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-59"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`."}, {"lang": "es", "value": "Tauri es un framework para construir binarios para las principales plataformas de escritorio. Debido a una falta de canonizaci\u00f3n cuando es llamada recursivamente a \"readDir\", era posible mostrar listados de directorios fuera del \u00e1mbito definido de \"fs\". Esto requer\u00eda un enlace simb\u00f3lico dise\u00f1ado o una carpeta de uni\u00f3n dentro de una ruta permitida del \u00e1mbito \"fs\". No se pod\u00eda filtrar contenido de archivos arbitrarios. El problema ha sido resuelto en versi\u00f3n 1.0.6 y la implementaci\u00f3n ahora comprueba apropiadamente si el (sub)directorio solicitado es un enlace simb\u00f3lico fuera del \u00e1mbito definido. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizarse deber\u00e1n deshabilitar el endpoint \"readDir\" en \"allowlist\" dentro de \"tauri.conf.json\""}], "lastModified": "2022-09-21T06:12:33.637", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tauri:tauri:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE5A2510-1D82-4D06-BFDC-08FA3942EDC8", "versionEndExcluding": "1.0.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}