CVE-2023-34460: Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles
The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.
Previously dotfiles (eg. $HOME/.ssh/) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.
Only Tauri applications using wildcard scopes in the fs endpoint are affected.
Only macOS and Linux systems are affected.
References
- github.com/advisories/GHSA-wmff-grcw-jcfm
- github.com/tauri-apps/tauri
- github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564
- github.com/tauri-apps/tauri/pull/6969
- github.com/tauri-apps/tauri/pull/7227
- github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
- github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm
- nvd.nist.gov/vuln/detail/CVE-2023-34460
Detect and mitigate CVE-2023-34460 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →