HistoryEdit

RUSTSEC-2022-0088

tauri's readDir endpoint allows possible enumeration outside of filesystem scope

Reported
Issued
Package
tauri (crates.io)
Type
Vulnerability
Categories
Aliases
Details
https://github.com/tauri-apps/tauri/issues/4882
CVSS Score
5.8 MEDIUM
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Patched
  • >=1.0.6

Description

It is possible for readDir to incorrectly enumerate files from a symlinked directory if called recursively when specifying an empty string for the dir parameter as outlined in this issue.

This is corrected in this PR by checking if a directory is a symlink before reading from it.