Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
The readDir Endpoint Scope can be Bypassed With Symbolic Links in Tauri
Vulnerability Description
Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Tauri 后置链接漏洞
Vulnerability Description
Tauri是Tauri开源的一个使用 Web 前端构建更小、更快、更安全的桌面应用程序。 Tauri 1.0.6之前版本存在后置链接漏洞,该漏洞源于递归调用readDir时缺少规范化,有可能在定义的fs范围之外显示目录列表。
CVSS Information
N/A
Vulnerability Type
N/A