CVE-2023-22466

Опубликовано: 04 янв. 2023

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting pipe_mode will reset reject_remote_clients to false. If the application has previously configured reject_remote_clients to true, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that pipe_mode is set first after initializing a ServerOptions.

Ссылки

https://github.com/tokio-rs/tokio/pull/5336
Patch
Third Party Advisory
https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1
Release Notes
Third Party Advisory
https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7
Mitigation
Third Party Advisory
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients
Technical Description
Third Party Advisory
https://github.com/tokio-rs/tokio/pull/5336
Patch
Third Party Advisory
https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1
Release Notes
Third Party Advisory
https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7
Mitigation
Third Party Advisory
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients
Technical Description
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:tokio:tokio:*:*:*:*:*:rust:*:*

Версия от 1.7.0 (включая) до 1.18.4 (исключая)

cpe:2.3:a:tokio:tokio:*:*:*:*:*:rust:*:*

Версия от 1.19.0 (включая) до 1.20.3 (исключая)

cpe:2.3:a:tokio:tokio:*:*:*:*:*:rust:*:*

Версия от 1.21.0 (включая) до 1.23.1 (исключая)

EPSS

Процентиль: 39%

0.00174

Низкий

5.4 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-665

Связанные уязвимости

CVE-2023-22466

CVSS3: 5.4

ubuntu

около 3 лет назад

Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.

CVE-2023-22466

CVSS3: 5.4

msrc

около 3 лет назад

Описание отсутствует

CVE-2023-22466

CVSS3: 5.4

debian

около 3 лет назад

Tokio is a runtime for writing applications with Rust. Starting with v ...

GHSA-7rrj-xr53-82p7

CVSS3: 5.4

github

около 3 лет назад

Tokio reject_remote_clients configuration may get dropped when creating a Windows named pipe

EPSS

Процентиль: 39%

0.00174

Низкий

5.4 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-665