CVE-2023-22466 – tokio

Package

Manager: cargo
Name: tokio
Vulnerable Version: >=1.7.0 <1.18.4 || >=1.19.0 <1.20.3 || >=1.21.0 <1.23.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00095 pctl0.27468

Details

Tokio reject_remote_clients configuration may get dropped when creating a Windows named pipe ### Impact When configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. This also applies if `reject_remote_clients` is not explicitly set as this is the default configuration and is cleared by calling `pipe_mode`. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publically shared folder (SMB). ### Patches The following versions have been patched: * 1.23.1 * 1.20.3 * 1.18.4 The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. ### Workarounds Ensure that `pipe_mode` is set **first** after initializing a `ServerOptions`. For example: ```rust let mut opts = ServerOptions::new(); opts.pipe_mode(PipeMode::Message); opts.reject_remote_clients(true); ``` ### References https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients

Metadata

Created: 2023-01-06T21:40:58Z
Modified: 2023-01-06T21:40:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-7rrj-xr53-82p7/GHSA-7rrj-xr53-82p7.json
CWE IDs: ["CWE-665"]
Alternative ID: GHSA-7rrj-xr53-82p7
Finding: F138
Auto approve: 1