Reported

September 19, 2022

Issued

February 25, 2023

Package

tauri (crates.io)

Type

Vulnerability

Categories

• privilege-escalation

Aliases

• CVE-2022-41874
• GHSA-q9wv-22m9-vhqh

Details

https://github.com/tauri-apps/tauri/issues/5234

CVSS Score

2.3 LOW

CVSS Details

Attack vector

Local

Attack complexity

High

Privileges required

High

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

Patched

• >=1.0.7, <1.1.0
• >=1.1.2

Unaffected

• <1.0.0

Description

A bug identified in this issue allows a partial filesystem scope bypass if glob characters are used within file dialog or drag-and-drop functionalities.

This PR fixes the issue by escaping glob characters.