4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-34460

GHSA ID

GHSA-wmff-grcw-jcfm

EPSS Score

0.19185%

CWE

CWE-285

Published

6/21/2023

Updated

11/7/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34460

CVE-2023-34460: Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles

Impact

The 1.4.0 release includes a regression on the filesystem scope check for dotfiles on Linux and macOS.

Previously dotfiles (eg. $HOME/.ssh/) were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented and dotfiles were implicitly allowed.

Only Tauri applications using wildcard scopes in the fs endpoint are affected. Only macOS and Linux systems are affected.

Patches

The regression has been patched on v1.4.1.

Workarounds

There are no known workarounds at this time, users should update to v1.4.1 immediately.

References

See the original advisory for more information.

For more Information

If you have any questions or comments about this advisory:

Open an issue in tauri Email us at security@tauri.app

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-34460

GHSA ID

GHSA-wmff-grcw-jcfm

EPSS Score

0.19185%

CWE

CWE-285

Published

6/21/2023

Updated

11/7/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tauri	rust	= 1.4.0	1.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from a flipped boolean in the require_literal_leading_dot configuration handling. The commit diff shows the default value for Unix systems was incorrectly set to false in 1.4.0 (vulnerable) and corrected to true in 1.4.1. The Scope::new function in fs.rs implements this configuration, controlling whether glob patterns match dotfiles. The incorrect default allowed implicit access to hidden files via wildcards, violating security expectations for Unix-like systems.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *.*.* r*l**s* in*lu**s * r**r*ssion on t** *il*syst*m s*op* ****k *or *ot*il*s on Linux *n* m**OS. Pr*viously *ot*il*s (**. `$*OM*/.ss*/`) w*r* not impli*itly *llow** *y t** *lo* wil***r* s*op*s (**. `$*OM*/*`), *ut * r**r*ssion w*s i

Reasoning

T** vuln*r**ility st*mm** *rom * *lipp** *ool**n in t** `r*quir*_lit*r*l_l***in*_*ot` *on*i*ur*tion **n*lin*. T** *ommit *i** s*ows t** ****ult v*lu* *or Unix syst*ms w*s in*orr**tly s*t to `**ls*` in *.*.* (vuln*r**l*) *n* *orr**t** to `tru*` in *.*

4.8

Basic Information

Concerned about an active attack path?

CVE-2023-34460: Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles

Impact

Patches

Workarounds

References

For more Information

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI