CVE-2022-39215: 
Rust vulnerability analysis and mitigation

CVE-2022-39215 affects Tauri, a framework for building desktop applications. The vulnerability was discovered in versions prior to 1.0.6 and was disclosed on September 15, 2022. The issue stems from missing canonicalization when the readDir function is called recursively, potentially allowing directory listings outside of the defined filesystem scope through crafted symbolic links or junction folders (GitHub Advisory).

The vulnerability is classified as CWE-548 and received a Low severity rating. The issue occurs when the readDir function is called recursively without proper canonicalization of paths, specifically when handling symbolic links or junction folders within an allowed path of the filesystem scope. The vulnerability was patched in versions 1.0.6 and 1.1.0 (GitHub Advisory).

The vulnerability allows attackers to view directory listings outside of the defined filesystem scope. However, the impact is limited as it does not allow for arbitrary file content access. The exploit requires a crafted symbolic link or junction folder to be present inside an allowed path of the filesystem scope (GitHub Advisory).

As a temporary workaround, users can disable the readDir endpoint in the allowlist inside the tauri.conf.json file. The permanent fix was implemented in pull request #5123, which added proper checks for symbolic links outside of the defined scope (GitHub Advisory).