CVE-2022-39215 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-39215

CVE-2022-39215

September 15, 2022

Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when "readDir" is called recursively, it was possible to display directory listings outside of the defined "fs" scope. This required a crafted symbolic link or junction folder inside an allowed path of the "fs" scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined "scope". Users are advised to upgrade. Users unable to upgrade should disable the "readDir" endpoint in the "allowlist" inside the "tauri.conf.json".

Related Resources (11)

https://github.com/tauri-apps/tauri/commit/bb178829086e80916f9be190f02d83bc25802799

https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6

https://nvd.nist.gov/vuln/detail/CVE-2022-39215

https://github.com/tauri-apps/tauri

https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499

https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678

https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39215.json

https://github.com/tauri-apps/tauri/pull/5123

https://github.com/tauri-apps/tauri/issues/4882

https://rustsec.org/advisories/RUSTSEC-2022-0088.html

https://crates.io/crates/tauri