Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As `**` allows for sub directories the behavior there is also as expected. The issue has been patched in the latest release and was backported into the currently supported 1.x branches. There are no known workarounds at the time of publication.
References
Link | Resource |
---|---|
https://github.com/tauri-apps/tauri/commit/72389b00d7b495ffd7750eb1e75a3b8537d07cf3 | Patch Third Party Advisory |
https://github.com/tauri-apps/tauri/commit/f0602e7c294245ab6ef6fbf2a976ef398340ef58 | Patch Third Party Advisory |
https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-12-23T13:47:56.494Z
Updated:
Reserved: 2022-11-28T17:27:19.998Z
Link: CVE-2022-46171
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-12-23T14:15:10.360
Modified: 2023-01-04T21:14:18.730
Link: CVE-2022-46171
JSON object: View
Redhat Information
No data.
CWE