GHSA-28m8-9j7v-x499: Tauri's readDir Endpoint Scope can be Bypassed With Symbolic Links

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2022-39215

Tauri’s readDir Endpoint Scope can be Bypassed With Symbolic Links

Low severity GitHub Reviewed Published Sep 16, 2022 in tauri-apps/tauri • Updated Sep 16, 2022

Vulnerability details Dependabot alerts 0

Package

cargo tauri (Rust)

Affected versions

< 1.0.6

Patched versions

1.0.6

Description

Impact

Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.

Patches

The issue has been resolved in tauri-apps/tauri#5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope.

Workarounds

Disable the readDir endpoint in the allowlist inside the tauri.conf.json.

For more information

This issue was initially reported by martin-ocasek in #4882.

If you have any questions or comments about this advisory:

• Open an issue in tauri
• Email us at [email protected]

References

• GHSA-28m8-9j7v-x499
• https://nvd.nist.gov/vuln/detail/CVE-2022-39215
• tauri-apps/tauri#4882
• tauri-apps/tauri#5123
• tauri-apps/tauri@1f9b9e8
• tauri-apps/tauri@bb17882
• https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6

tweidinger published the maintainer security advisory

Sep 15, 2022

Severity

Low

Weaknesses

CWE-22

CVE ID

CVE-2022-39215

GHSA ID

GHSA-28m8-9j7v-x499

Source code

tauri-apps/tauri

Credits

• martin-ocasek

Checking history

See something to contribute? Suggest improvements for this vulnerability.