Products
Tauri
- 1.0 - 1.6.6
- 2.0.0-beta.0 - 2.0.0-beta.18
Source
security-advisories@github.com
Tags
CVE-2024-35222 details
Last Modified : May 23, 2024, 2:15 p.m.
Description
Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19.
CVSS Score
1 | 2 | 3 | 4 | 5.9 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
Base Score
5.9
Exploitability Score
Impact Score
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
References
URL | Source |
---|---|
https://github.com/tauri-apps/tauri/issues/8316 | security-advisories@github.com |
https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7 | security-advisories@github.com |