CVE-2023-31134

EPSS 0.52%
Veröffentlicht 09.05.2023 14:15:13
Zuletzt bearbeitet 21.11.2024 08:01:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Tauri Open Redirect Vulnerability Possibly Exposes IPC to External Sites

Tauri is software for building applications for multi-platform deployment. The Tauri IPC is usually strictly isolated from external websites, but in versions 1.0.0 until 1.0.9, 1.1.0 until 1.1.4, and 1.2.0 until 1.2.5, the isolation can be bypassed by redirecting an existing Tauri window to an external website. This is either possible by an application implementing a feature for users to visit
arbitrary websites or due to a bug allowing the open redirect. This allows the external website access to the IPC layer and therefore to all configured and exposed Tauri API endpoints and application specific implemented Tauri commands. This issue has been patched in versions 1.0.9, 1.1.4, and 1.2.5. As a workaround, prevent arbitrary input in redirect features and/or only allow trusted websites access to the IPC.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tauri ≫ Tauri Version >= 1.0.0 < 1.0.9

Tauri ≫ Tauri Version >= 1.1.0 < 1.1.4

Tauri ≫ Tauri Version >= 1.2.0 < 1.2.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.52%	0.402

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.8	1.7	2.7	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.9

Release Notes

https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.1.4

Release Notes

https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.2.5

Release Notes

https://github.com/tauri-apps/tauri/security/advisories/GHSA-4wm2-cwcf-wwvp

Vendor Advisory

https://www.github.com/tauri-apps/tauri/commit/58ea0b45268dbd46cbac0ebb0887353d057ca767

Patch

https://www.github.com/tauri-apps/tauri/commit/fa90214b052b1a5d38d54fbf1ca422b4c37cfd1f

Patch

https://nvd.nist.gov/vuln/detail/CVE-2023-31134

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-31134

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-31134

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-31134