Reported

August 7, 2022

Issued

February 5, 2023

Package

tauri (crates.io)

Type

Vulnerability

Categories

• privilege-escalation

Aliases

• CVE-2022-39215
• GHSA-28m8-9j7v-x499

References

• https://github.com/tauri-apps/tauri/issues/4882

CVSS Score

5.8 MEDIUM

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Patched

• >=1.0.6

Description

It is possible for readDir to incorrectly enumerate files from a symlinked directory if called recursively when specifying an empty string for the dir parameter as outlined in this issue.

This is corrected in this PR by checking if a directory is a symlink before reading from it.

Advisory available under CC0-1.0 license.