Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2022-39215
Date: September 15, 2022
Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when "readDir" is called recursively, it was possible to display directory listings outside of the defined "fs" scope. This required a crafted symbolic link or junction folder inside an allowed path of the "fs" scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined "scope". Users are advised to upgrade. Users unable to upgrade should disable the "readDir" endpoint in the "allowlist" inside the "tauri.conf.json".
Language: RUST
Severity Score
Related Resources (11)
Severity Score
Weakness Type (CWE)
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | CHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | LOW |
| Availability (A): | LOW |