Insufficiently Protected Credentials Affecting @tauri-apps/cli package, versions <2.0.0-alpha.16


Severity

0.0
high
0
10

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-TAURIAPPSCLI-6026293
  • published 22 Oct 2023
  • disclosed 20 Oct 2023
  • credit Unknown

How to fix?

Upgrade @tauri-apps/cli to version 2.0.0-alpha.16 or higher.

Overview

@tauri-apps/cli is a Command line interface for building Tauri apps

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the vite.config.ts configuration file. An attacker can access the private key and updater key password by exploiting a misconfiguration in the Vite frontend of bundled Tauri applications. This is only exploitable if the envPrefix: ['VITE_', 'TAURI_'], snippet from the Vite guide is copied into the vite.config.ts of a Tauri project, leading to the bundling of the TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD into the Vite frontend code.

Note This is an informational advisory describing a commonly used misconfiguration and not a classic case of a vulnerability in the code.

Workaround

This vulnerability can be mitigated by using the envPrefix: ['VITE_'], and manually adding the desired TAURI variables. These variables could be added TAURI_PLATFORM, TAURI_ARCH, TAURI_FAMILY, TAURI_PLATFORM_VERSION, TAURI_PLATFORM_TYPE and TAURI_DEBUG without leaking sensitive information.

References

CVSS Scores

version 3.1
Expand this section

Snyk

8.4 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

5.5 medium