CVE-2023-46115
CVSS 3.1 Score 5.5 of 10 (medium)
Details
Summary
CVE-2023-46115: A misconfiguration issue was discovered in the Tauri framework, affecting projects built with Vite frontend and a specific configuration. The vulnerability stems from bundling sensitive keys, such as the private key and updater key password, into the Vite frontend code due to an insecure example configuration in Tauri's Vite guide. Users are advised to rotate their updater private key and update the envPrefix configuration in `vite.config.ts` to prevent the leakage of these keys. To apply the fix, users must generate a new private key using `tauri signer generate` and update the public key on `tauri.conf.json`. It is essential to sign the next application build with the older private key for the update to be accepted. Users not utilizing Vite or modifying the envPrefix configuration are not impacted by this advisory.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Tauri
- Tauri
Affected Vendors
- Tauri
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions