GHSA-28M8-9J7V-X499

Vulnerability from github – Published: 2022-09-16 19:28 – Updated: 2022-09-22 17:28
VLAI?
Summary
Tauri's readDir Endpoint Scope can be Bypassed With Symbolic Links
Details

Impact

Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.

Patches

The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined scope.

Workarounds

Disable the readDir endpoint in the allowlist inside the tauri.conf.json.

For more information

This issue was initially reported by martin-ocasek in #4882.

If you have any questions or comments about this advisory: * Open an issue in tauri * Email us at security@tauri.app

Severity ?
5.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T19:28:49Z",
    "nvd_published_at": "2022-09-15T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDue to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked.\n\n\n### Patches\nThe issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the\nrequested (sub) directory is a symbolic link outside of the defined `scope`.\n\n### Workarounds\nDisable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.\n\n### For more information\n\nThis issue was initially reported by [martin-ocasek]( https://github.com/martin-ocasek) in [#4882](https://github.com/tauri-apps/tauri/issues/4882).\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [tauri](https://github.com/tauri-apps/tauri)\n* Email us at [security@tauri.app](mailto:security@tauri.app)\n",
  "id": "GHSA-28m8-9j7v-x499",
  "modified": "2022-09-22T17:28:05Z",
  "published": "2022-09-16T19:28:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39215"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/issues/4882"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/pull/5123"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/commit/bb178829086e80916f9be190f02d83bc25802799"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tauri-apps/tauri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0088.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tauri\u0027s readDir Endpoint Scope can be Bypassed With Symbolic Links"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.