CVE-2024-35222
5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Summary
Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2. Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| tauri-apps | tauri | <= 1.6.6 | affected |
| tauri-apps | tauri | >= 2.0.0-beta.0, <= 2.0.0-beta.19 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7
- https://github.com/tauri-apps/tauri/issues/8316
References
- https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7
- https://github.com/tauri-apps/tauri/issues/8316
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.