Vulnerability-Lookup

rustsec-2022-0091

Vulnerability from osv_rustsec

Published

2022-09-19 12:00

Modified

2023-02-25 15:16

Summary

`tauri` filesystem scope partial bypass

Details

A bug identified in this issue allows a partial filesystem scope bypass if glob characters are used within file dialog or drag-and-drop functionalities.

This PR fixes the issue by escaping glob characters.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "privilege-escalation"
        ],
        "cvss": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri",
        "purl": "pkg:cargo/tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.7"
            },
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2022-41874",
    "GHSA-q9wv-22m9-vhqh"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "A bug identified in [this](https://github.com/tauri-apps/tauri/issues/5234) issue allows a partial filesystem scope bypass if glob characters are used within file dialog or drag-and-drop functionalities.\n\n[This](https://github.com/tauri-apps/tauri/pull/5237) PR fixes the issue by escaping glob characters.",
  "id": "RUSTSEC-2022-0091",
  "modified": "2023-02-25T15:16:50Z",
  "published": "2022-09-19T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/tauri"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0091.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/tauri-apps/tauri/issues/5234"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "`tauri` filesystem scope partial bypass"
}

GHSA-Q9WV-22M9-VHQH

Vulnerability from github – Published: 2022-11-08 17:33 – Updated: 2023-02-28 16:52

Summary

Tauri Filesystem Scope can be Partially Bypassed

Details

Impact

Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it was possible to partially bypass the fs scope definition. It was not possible to traverse into arbitrary paths, as the issue was limited to neighboring files and sub folders of already allowed paths.

The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters.

On Linux or MacOS based systems it was possible to use the *, ** and [a-Z] patterns inside a path, which allowed to read the content of sub directories and single character files in a folder, where only specific files or the directory itself were allowed.

On Windows [a-Z] was the possible bypass pattern, as * is not treated as a valid path component. This implies that only single character files inside an already allowed directory were unintentionally accessible.

This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime.

A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. This means the issue by itself can not be abused and requires further intentional or unintentional privileges.

Workaround

Disable the dialog and fileDropEnabled component inside the tauri.conf.json.

Patches

The issue has been resolved in #5237 and the implementation now properly escapes the special characters. The patch has been included in releases: 1.0.7, 1.1.2 and 1.2.0

For more information

This issue was initially reported by MessyComposer in #5234.

If you have any questions or comments about this advisory:

Open an issue in tauri Email us at security@tauri.app

Severity ?

2.3 (Low)


                  
                    CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "Tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "Tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T17:33:26Z",
    "nvd_published_at": "2022-11-10T21:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nDue to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it was possible to partially bypass the `fs` scope definition. It was not possible to traverse into arbitrary paths, as the issue was limited to neighboring files and sub folders of already allowed paths.\n\nThe impact differs on Windows, MacOS and Linux due to different specifications of valid path characters.\n\nOn Linux or MacOS based systems it was possible to use the `*`, `**` and `[a-Z]` patterns inside a path, which allowed to read the content of sub directories and single character files in a folder, where only specific files or the directory itself were allowed.\n\nOn Windows `[a-Z]` was the possible bypass pattern, as `*` is not treated as a valid path component. This implies that only single character files inside an already allowed directory were unintentionally accessible.\n\nThis bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime.\n\nA successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. This means the issue by itself can not be abused and requires further intentional or unintentional privileges.\n\n### Workaround\n\nDisable the `dialog` and `fileDropEnabled` component inside the `tauri.conf.json`.\n\n### Patches\n\nThe issue has been resolved in #5237 and the implementation now properly escapes the special characters. The patch has been included in releases: `1.0.7`, `1.1.2` and `1.2.0`\n\n### For more information\n\nThis issue was initially reported by MessyComposer in #5234.\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in tauri\nEmail us at security@tauri.app",
  "id": "GHSA-q9wv-22m9-vhqh",
  "modified": "2023-02-28T16:52:02Z",
  "published": "2022-11-08T17:33:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-q9wv-22m9-vhqh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41874"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/issues/5234"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/pull/5237"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tauri-apps/tauri"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0091.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tauri Filesystem Scope can be Partially Bypassed"
}

CVE-2022-41874 (GCVE-0-2022-41874)

Vulnerability from cvelistv5 – Published: 2022-11-10 00:00 – Updated: 2025-04-23 16:38

Title

Tauri Filesystem Scope can be Partially Bypassed

Summary

Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it is possible to partially bypass the `fs` scope definition. It is not possible to traverse into arbitrary paths, as the issue is limited to neighboring files and sub folders of already allowed paths. The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters. This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime. A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. The issue has been patched in versions 1.0.7, 1.1.2 and 1.2.0. As a workaround, disable the dialog and fileDropEnabled component inside the tauri.conf.json.

Severity ?

2.6 (Low)


                        
                          CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

CWE

CWE-668 - Exposure of Resource to Wrong Sphere
CWE-706 - Use of Incorrectly-Resolved Name or Reference

Assigner

GitHub_M

References

URL

Tags

https://github.com/tauri-apps/tauri/security/advi…

Impacted products

	Vendor	Product	Version
	tauri-apps	tauri	Affected: >= 1.0.0, <1.0.7 Affected: >= 1.1.0, <1.1.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:56:38.194Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-q9wv-22m9-vhqh"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41874",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:54:51.769199Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:38:40.535Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tauri",
          "vendor": "tauri-apps",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c1.0.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.1.0, \u003c1.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it is possible to partially bypass the `fs` scope definition. It is not possible to traverse into arbitrary paths, as the issue is limited to neighboring files and sub folders of already allowed paths. The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters. This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime. A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. The issue has been patched in versions 1.0.7, 1.1.2 and 1.2.0. As a workaround, disable the dialog and fileDropEnabled component inside the tauri.conf.json."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-706",
              "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-10T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-q9wv-22m9-vhqh"
        }
      ],
      "source": {
        "advisory": "GHSA-q9wv-22m9-vhqh",
        "discovery": "UNKNOWN"
      },
      "title": "Tauri Filesystem Scope can be Partially Bypassed"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-41874",
    "datePublished": "2022-11-10T00:00:00.000Z",
    "dateReserved": "2022-09-30T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:38:40.535Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

rustsec-2022-0091

Vulnerability from osv_rustsec

GHSA-Q9WV-22M9-VHQH

Impact

Workaround

Patches

For more information

CVE-2022-41874 (GCVE-0-2022-41874)

Tags

Sightings

Nomenclature