Insufficiently Protected Credentials Affecting @tauri-apps/cli package, versions <2.0.0-alpha.16
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-TAURIAPPSCLI-6026293
- published 22 Oct 2023
- disclosed 20 Oct 2023
- credit Unknown
Introduced: 20 Oct 2023
CVE-2023-46115 Open this link in a new tabHow to fix?
Upgrade @tauri-apps/cli to version 2.0.0-alpha.16 or higher.
Overview
@tauri-apps/cli is a Command line interface for building Tauri apps
Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the vite.config.ts configuration file. An attacker can access the private key and updater key password by exploiting a misconfiguration in the Vite frontend of bundled Tauri applications. This is only exploitable if the envPrefix: ['VITE_', 'TAURI_'], snippet from the Vite guide is copied into the vite.config.ts of a Tauri project, leading to the bundling of the TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD into the Vite frontend code.
Note This is an informational advisory describing a commonly used misconfiguration and not a classic case of a vulnerability in the code.
Workaround
This vulnerability can be mitigated by using the envPrefix: ['VITE_'], and manually adding the desired TAURI variables. These variables could be added TAURI_PLATFORM, TAURI_ARCH, TAURI_FAMILY, TAURI_PLATFORM_VERSION, TAURI_PLATFORM_TYPE and TAURI_DEBUG without leaking sensitive information.