CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
47.1%
Tokio is a runtime for writing applications with Rust. Starting with
version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when
configuring a Windows named pipe server, setting pipe_mode
will reset
reject_remote_clients
to false
. If the application has previously
configured reject_remote_clients
to true
, this effectively undoes the
configuration. Remote clients may only access the named pipe if the named
pipe’s associated path is accessible via a publicly shared folder (SMB).
Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be
present in all releases starting from version 1.24.0. Named pipes were
introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not
affected. As a workaround, ensure that pipe_mode
is set first after
initializing a ServerOptions
.
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
mdeslaur | starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | rust-tokio | < any | UNKNOWN |
ubuntu | 22.04 | noarch | rust-tokio | < any | UNKNOWN |
ubuntu | 24.04 | noarch | rust-tokio | < any | UNKNOWN |
ubuntu | 18.04 | noarch | rustc | < any | UNKNOWN |
ubuntu | 20.04 | noarch | rustc | < any | UNKNOWN |
ubuntu | 22.04 | noarch | rustc | < any | UNKNOWN |
ubuntu | 24.04 | noarch | rustc | < any | UNKNOWN |
ubuntu | 14.04 | noarch | rustc | < any | UNKNOWN |
ubuntu | 16.04 | noarch | rustc | < any | UNKNOWN |
github.com/tokio-rs/tokio/pull/5336
github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1
github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7
launchpad.net/bugs/cve/CVE-2023-22466
learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients
nvd.nist.gov/vuln/detail/CVE-2023-22466
security-tracker.debian.org/tracker/CVE-2023-22466
www.cve.org/CVERecord?id=CVE-2023-22466