Insufficiently Protected Credentials Affecting tauri-cli package, versions <2.0.0-alpha.16


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-TAURICLI-6026294
  • published22 Oct 2023
  • disclosed20 Oct 2023
  • creditUnknown

Introduced: 20 Oct 2023

CVE-2023-46115  (opens in a new tab)
CWE-522  (opens in a new tab)

How to fix?

Upgrade tauri-cli to version 2.0.0-alpha.16 or higher.

Overview

tauri-cli is a polyglot and generic system that is very composable and allows engineers to make a wide variety of applications.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the vite.config.ts configuration file. An attacker can access the private key and updater key password by exploiting a misconfiguration in the Vite frontend of bundled Tauri applications. This is only exploitable if the envPrefix: ['VITE_', 'TAURI_'], snippet from the Vite guide is copied into the vite.config.ts of a Tauri project, leading to the bundling of the TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD into the Vite frontend code.

Note This is an informational advisory describing a commonly used misconfiguration and not a classic case of a vulnerability in the code.

Workaround

This vulnerability can be mitigated by using the envPrefix: ['VITE_'], and manually adding the desired TAURI variables. These variables could be added TAURI_PLATFORM, TAURI_ARCH, TAURI_FAMILY, TAURI_PLATFORM_VERSION, TAURI_PLATFORM_TYPE and TAURI_DEBUG without leaking sensitive information.

References

CVSS Scores

version 3.1