Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for tokio by tokio-rs

    CVE-2023-22466 (GCVE-0-2023-22466)

    Vulnerability from nvd – Published: 2023-01-04 21:47 – Updated: 2025-03-10 21:32
    VLAI
    Title
    Tokio's reject_remote_clients configuration may get dropped when creating a Windows named pipe
    Summary
    Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-665 - Improper Initialization
    Assigner
    Impacted products
    Vendor Product Version
    tokio-rs tokio Affected: >= 1.7.0, < 1.18.4
    Affected: >= 1.19.0, < 1.20.3
    Affected: >= 1.21.0, < 1.23.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:13:48.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7"
              },
              {
                "name": "https://github.com/tokio-rs/tokio/pull/5336",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/tokio-rs/tokio/pull/5336"
              },
              {
                "name": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1"
              },
              {
                "name": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22466",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T21:00:36.854340Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:32:32.950Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "tokio",
              "vendor": "tokio-rs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0, \u003c 1.18.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.19.0, \u003c 1.20.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.21.0, \u003c 1.23.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe\u0027s associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-665",
                  "description": "CWE-665: Improper Initialization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-04T21:47:09.400Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7"
            },
            {
              "name": "https://github.com/tokio-rs/tokio/pull/5336",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tokio-rs/tokio/pull/5336"
            },
            {
              "name": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1"
            },
            {
              "name": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients"
            }
          ],
          "source": {
            "advisory": "GHSA-7rrj-xr53-82p7",
            "discovery": "UNKNOWN"
          },
          "title": "Tokio\u0027s reject_remote_clients configuration may get dropped when creating a Windows named pipe"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-22466",
        "datePublished": "2023-01-04T21:47:09.400Z",
        "dateReserved": "2022-12-29T03:00:40.879Z",
        "dateUpdated": "2025-03-10T21:32:32.950Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22466 (GCVE-0-2023-22466)

    Vulnerability from cvelistv5 – Published: 2023-01-04 21:47 – Updated: 2025-03-10 21:32
    VLAI
    Title
    Tokio's reject_remote_clients configuration may get dropped when creating a Windows named pipe
    Summary
    Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-665 - Improper Initialization
    Assigner
    Impacted products
    Vendor Product Version
    tokio-rs tokio Affected: >= 1.7.0, < 1.18.4
    Affected: >= 1.19.0, < 1.20.3
    Affected: >= 1.21.0, < 1.23.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:13:48.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7"
              },
              {
                "name": "https://github.com/tokio-rs/tokio/pull/5336",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/tokio-rs/tokio/pull/5336"
              },
              {
                "name": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1"
              },
              {
                "name": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22466",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T21:00:36.854340Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:32:32.950Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "tokio",
              "vendor": "tokio-rs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0, \u003c 1.18.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.19.0, \u003c 1.20.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.21.0, \u003c 1.23.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe\u0027s associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-665",
                  "description": "CWE-665: Improper Initialization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-04T21:47:09.400Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7"
            },
            {
              "name": "https://github.com/tokio-rs/tokio/pull/5336",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tokio-rs/tokio/pull/5336"
            },
            {
              "name": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1"
            },
            {
              "name": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients"
            }
          ],
          "source": {
            "advisory": "GHSA-7rrj-xr53-82p7",
            "discovery": "UNKNOWN"
          },
          "title": "Tokio\u0027s reject_remote_clients configuration may get dropped when creating a Windows named pipe"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-22466",
        "datePublished": "2023-01-04T21:47:09.400Z",
        "dateReserved": "2022-12-29T03:00:40.879Z",
        "dateUpdated": "2025-03-10T21:32:32.950Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }