Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03cnJqLXhyNTMtODJwN84AAwyk

Tokio reject_remote_clients configuration may get dropped when creating a Windows named pipe

Impact

When configuring a Windows named pipe server, setting pipe_mode will reset reject_remote_clients to false. If the application has previously configured reject_remote_clients to true, this effectively undoes the configuration. This also applies if reject_remote_clients is not explicitly set as this is the default configuration and is cleared by calling pipe_mode.

Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publically shared folder (SMB).

Patches

The following versions have been patched:

The fix will also be present in all releases starting from version 1.24.0.

Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

References

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients

Permalink: https://github.com/advisories/GHSA-7rrj-xr53-82p7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cnJqLXhyNTMtODJwN84AAwyk
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Identifiers: GHSA-7rrj-xr53-82p7, CVE-2023-22466
References: Repository: https://github.com/tokio-rs/tokio

Affected Packages

cargo:tokio
Dependent packages: 17,339
Dependent repositories: 53,472
Downloads: 163,567,596 total
Affected Version Ranges: >= 1.21.0, < 1.23.1, >= 1.19.0, < 1.20.3, >= 1.7.0, < 1.18.4
Fixed in: 1.23.1, 1.20.3, 1.18.4
All affected versions: 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.13.0, 1.13.1, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.19.0, 1.19.1, 1.19.2, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.21.1, 1.21.2, 1.22.0, 1.23.0
All unaffected versions: 0.0.0, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 0.2.18, 0.2.19, 0.2.20, 0.2.21, 0.2.22, 0.2.23, 0.2.24, 0.2.25, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.18.4, 1.18.5, 1.18.6, 1.20.3, 1.20.4, 1.20.5, 1.20.6, 1.23.1, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.26.0, 1.27.0, 1.28.0, 1.28.1, 1.28.2, 1.29.0, 1.29.1, 1.30.0, 1.31.0, 1.32.0, 1.32.1, 1.33.0, 1.34.0, 1.35.0, 1.35.1, 1.36.0