Lucasfernog

**Name of the Vulnerable Software and Affected Versions** Tauri versions prior to 2.0.0-alpha.16 or 1.5.6 **Description** This issue is related to a misconfiguration in the Tauri documentation that could lead to the leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the Vite guide, which could cause the `TAURI PRIVATE KEY` and `TAURI KEY PASSWORD` to be bundled into the Vite frontend code. This issue only affects a very limited amount of applications. To verify if you are affected, you can search for the private key value or the `TAURI PRIVATE KEY` variable inside the release build frontend assets (`dist/`). **Recommendations** To resolve the issue, update the `envPrefix` configuration in `vite.config.ts` to use `envPrefix: ['VITE ']` and manually add the desired `TAURI` variables. Rotate your updater private key by generating a new private key with `tauri signer generate`, saving the new private key, and updating the updater's `pubkey` value on `tauri.conf.json` with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application.

**Name of the Vulnerable Software and Affected Versions** Tauri versions 1.0.0 through 1.0.9 Tauri versions 1.1.0 through 1.1.4 Tauri versions 1.2.0 through 1.2.5 **Description** The Tauri IPC is usually strictly isolated from external websites, but the isolation can be bypassed by redirecting an existing Tauri window to an external website. This can be done either by an application implementing a feature for users to visit arbitrary websites or due to a bug allowing the open redirect. This allows the external website access to the IPC layer and therefore to all configured and exposed Tauri API endpoints and application-specific implemented Tauri commands. **Recommendations** For versions 1.0.0 through 1.0.9, update to version 1.0.9 or later to patch the issue. For versions 1.1.0 through 1.1.4, update to version 1.1.4 or later to patch the issue. For versions 1.2.0 through 1.2.5, update to version 1.2.5 or later to patch the issue. As a temporary workaround, prevent arbitrary input in redirect features and/or only allow trusted websites access to the IPC.

**Nome do software vulnerável e versões afetadas** Versões do Tauri anteriores à versão mais recente Versões 1.x do Tauri anteriores ao patch retroportado **Descrição** Os caracteres curinga `*`, `?` e `[...]` do padrão glob do sistema de arquivos correspondem, por padrão, a literais de caminho de arquivo e pontos iniciais, o que expõe involuntariamente o conteúdo de subpastas em caminhos permitidos. Escopos sem os caracteres curinga não são afetados. Como `**` permite subdiretórios, o comportamento nesse caso também é o esperado. O problema foi corrigido na versão mais recente e foi retroportado para os ramos 1.x atualmente suportados. **Recomendações** Para versões do Tauri anteriores à versão mais recente, atualize para a versão mais recente para resolver o problema. Para versões 1.x do Tauri, aplique o patch retroportado para resolver o problema. Como solução alternativa temporária, considere restringir o uso dos padrões globais `*`, `?` e `[...]` nos escopos `fs` para minimizar o risco de exploração. Evite usar o componente `dialog.open` com a opção `recursive` definida como `false` até que o problema seja resolvido.