CVE-2023-34460 - Vulnerability Details - OpenCVE

Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression was introduced when a configuration option for this behavior was implemented. Only Tauri applications using wildcard scopes in the `fs` endpoint are affected. The regression has been patched on version 1.4.1.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apple	Macos
Linux	Linux Kernel
Tauri	Tauri

Configuration 1 [-]

AND

cpe:2.3:a:tauri:tauri:1.4.0:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564
https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347
https://github.com/tauri-apps/tauri/pull/7227
https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm

History

Thu, 07 Nov 2024 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-23T19:09:54.173Z

Updated: 2024-11-07T19:04:00.431Z

Reserved: 2023-06-06T16:16:53.559Z

Link: CVE-2023-34460

Vulnrichment

Updated: 2024-08-02T16:10:07.301Z

NVD

Status : Modified

Published: 2023-06-23T20:15:09.147

Modified: 2024-11-21T08:07:18.050

Link: CVE-2023-34460

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34460", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-06T16:16:53.559Z", "datePublished": "2023-06-23T19:09:54.173Z", "dateUpdated": "2024-11-07T19:04:00.431Z"}, "containers": {"cna": {"title": "Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm"}, {"name": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347", "tags": ["x_refsource_MISC"], "url": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347"}, {"name": "https://github.com/tauri-apps/tauri/pull/7227", "tags": ["x_refsource_MISC"], "url": "https://github.com/tauri-apps/tauri/pull/7227"}, {"name": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564", "tags": ["x_refsource_MISC"], "url": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564"}], "affected": [{"vendor": "tauri-apps", "product": "tauri", "versions": [{"version": "= 1.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-23T19:09:54.173Z"}, "descriptions": [{"lang": "en", "value": "Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression was introduced when a configuration option for this behavior was implemented. Only Tauri applications using wildcard scopes in the `fs` endpoint are affected. The regression has been patched on version 1.4.1.\n\n"}], "source": {"advisory": "GHSA-wmff-grcw-jcfm", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:07.301Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm"}, {"name": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347"}, {"name": "https://github.com/tauri-apps/tauri/pull/7227", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tauri-apps/tauri/pull/7227"}, {"name": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-07T19:03:47.667794Z", "id": "CVE-2023-34460", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-07T19:04:00.431Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm", "name": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347", "name": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/tauri-apps/tauri/pull/7227", "name": "https://github.com/tauri-apps/tauri/pull/7227", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564", "name": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:07.301Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-34460", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-07T19:03:47.667794Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-07T19:03:56.973Z"}}], "cna": {"title": "Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles", "source": {"advisory": "GHSA-wmff-grcw-jcfm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "tauri-apps", "product": "tauri", "versions": [{"status": "affected", "version": "= 1.4.0"}]}], "references": [{"url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm", "name": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347", "name": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tauri-apps/tauri/pull/7227", "name": "https://github.com/tauri-apps/tauri/pull/7227", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564", "name": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression was introduced when a configuration option for this behavior was implemented. Only Tauri applications using wildcard scopes in the `fs` endpoint are affected. The regression has been patched on version 1.4.1.\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-23T19:09:54.173Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34460", "state": "PUBLISHED", "dateUpdated": "2024-11-07T19:04:00.431Z", "dateReserved": "2023-06-06T16:16:53.559Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-06-23T19:09:54.173Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tauri:tauri:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "CB02A4BD-CF71-49AE-943F-469EB7328175", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression was introduced when a configuration option for this behavior was implemented. Only Tauri applications using wildcard scopes in the `fs` endpoint are affected. The regression has been patched on version 1.4.1.\n\n"}], "id": "CVE-2023-34460", "lastModified": "2024-11-21T08:07:18.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-23T20:15:09.147", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tauri-apps/tauri/pull/7227"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/tauri-apps/tauri/commit/066c09a6ea06f42f550d090715e06beb65cd5564"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/tauri-apps/tauri/pull/6969#discussion_r1232018347"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/tauri-apps/tauri/pull/7227"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-wmff-grcw-jcfm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}