CVE-2023-22466
Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.
EPSS 0.20% · 41.3th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| tokio | tokio | 1.19.0, 1.7.0, 1.21.0 |
| crates.io | tokio | 1.19.0, 1.7.0, 1.19.0 |
| tokio-rs | tokio | >= 1.7.0, < 1.18.4, >= 1.21.0, < 1.23.1, >= 1.19.0, < 1.20.3 |
Timeline
- Jan 4, 2023 CVE Published
- Jan 5, 2023 EPSS Score
- Feb 15, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 28, 2023 EPSS Score
- May 8, 2023 EPSS Score
- Jun 18, 2023 EPSS Score
- Jul 29, 2023 EPSS Score
- Sep 8, 2023 EPSS Score
- Oct 19, 2023 EPSS Score
- Nov 29, 2023 EPSS Score
- Jan 9, 2024 EPSS Score
References
- https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7 url
- https://github.com/tokio-rs/tokio/pull/5336 url
- https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1 url
- https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients url
- https://nvd.nist.gov/vuln/detail/CVE-2023-22466 advisory
- https://github.com/tokio-rs/tokio package
- https://rustsec.org/advisories/RUSTSEC-2023-0001.html url