RUSTSEC-2022-0091

tauri filesystem scope partial bypass

Reported

September 19, 2022

Issued

February 25, 2023

Package

tauri (crates.io)

Type

Vulnerability

Categories

privilege-escalation

Aliases

CVE-2022-41874
GHSA-q9wv-22m9-vhqh

References

https://github.com/tauri-apps/tauri/issues/5234

CVSS Score

2.3 LOW

CVSS Details

Attack vector: Local
Attack complexity: High
Privileges required: High
User interaction: Required
Scope: Changed
Confidentiality: Low
Integrity: None
Availability: None

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

Patched

>=1.0.7, <1.1.0
>=1.1.2

Unaffected

<1.0.0

Description

A bug identified in this issue allows a partial filesystem scope bypass if glob characters are used within file dialog or drag-and-drop functionalities.

This PR fixes the issue by escaping glob characters.

Advisory available under CC0-1.0 license.