Reported

August 7, 2022

Issued

February 5, 2023

Package

tauri (crates.io)

Type

Vulnerability

Categories

• privilege-escalation

Aliases

• CVE-2022-39215
• GHSA-28m8-9j7v-x499

References

• https://github.com/tauri-apps/tauri/issues/4882

CVSS Score

5.8 MEDIUM

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality Impact

Low

Integrity Impact

None

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Patched

• >=1.0.6

Description

It is possible for readDir to incorrectly enumerate files from a symlinked directory if called recursively when specifying an empty string for the dir parameter as outlined in this issue.

This is corrected in this PR by checking if a directory is a symlink before reading from it.

Advisory available under CC0-1.0 license.