Reported

September 19, 2022

Issued

February 25, 2023

Package

tauri (crates.io)

Type

Vulnerability

Categories

• privilege-escalation

Aliases

• CVE-2022-41874
• GHSA-q9wv-22m9-vhqh

References

• https://github.com/tauri-apps/tauri/issues/5234

CVSS Score

2.3 LOW

CVSS Details

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality Impact

Low

Integrity Impact

None

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

Patched

• >=1.0.7, <1.1.0
• >=1.1.2

Unaffected

• <1.0.0

Description

A bug identified in this issue allows a partial filesystem scope bypass if glob characters are used within file dialog or drag-and-drop functionalities.

This PR fixes the issue by escaping glob characters.

Advisory available under CC0-1.0 license.