CVE-2023-22466 — Improper Initialization in Tokio

CWE-665 — Improper Initialization7 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 61.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tokio Debian Rust-tokio Tokio-rs Tokio +16 more

Timeline

PublishedJan 4

Latest updateJan 10

Description

Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB).…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages20 packages

▶debiandebian/rust-tokio< rust-tokio 1.24.2-1 (bookworm)

▶NVDtokio/tokio1.7.0 — 1.18.4+2

▶crates.iotokio/tokio1.7.0 — 1.18.4+2

▶CVEListV5tokio-rs/tokio>= 1.19.0, < 1.20.3, >= 1.21.0, < 1.23.1, >= 1.7.0, < 1.18.4+2

▶msrcmsrc/cm1_rust_1.59.0-1_on_cbl_mariner_1.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Tokio reject_remote_clients configuration may get dropped when creating a Windows named pipe↗2023-01-06

▶

OSV

Tokio reject_remote_clients configuration may get dropped when creating a Windows named pipe↗2023-01-06

▶

OSV

reject_remote_clients Configuration corruption↗2023-01-04

▶

OSV

CVE-2023-22466: Tokio is a runtime for writing applications with Rust↗2023-01-04

▶

📋Vendor Advisories

Microsoft

Tokio's reject_remote_clients configuration may get dropped when creating a Windows named pipe↗2023-01-10

▶

Debian

CVE-2023-22466: rust-tokio - Tokio is a runtime for writing applications with Rust. Starting with version 1.7...↗2023

▶