CVE-2022-46171

Name of the Vulnerable Software and Affected Versions Tauri versions prior to the latest release Tauri versions 1.x prior to the backported patch

Description The filesystem glob pattern wildcards *, ?, and [...] match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As ** allows for sub directories, the behavior there is also as expected. The issue has been patched in the latest release and was backported into the currently supported 1.x branches.

Recommendations For Tauri versions prior to the latest release, update to the latest release to resolve the issue. For Tauri versions 1.x, apply the backported patch to resolve the issue. As a temporary workaround, consider restricting the use of the *, ?, and [...] glob patterns in fs scopes to minimize the risk of exploitation. Avoid using the dialog.open component with the recursive option set to false until the issue is resolved.