CVE-2023-22466
MEDIUM5.4EPSS 0.20%reject_remote_clients Configuration corruption
Description
On Windows, configuring a named pipe server with [pipe_mode] will force [ServerOptions]::[reject_remote_clients] as `false`. This drops any intended explicit configuration for the [reject_remote_clients] that may have been set as `true` previously. The default setting of [reject_remote_clients] is normally `true` meaning the default is also overridden as `false`. ## Workarounds Ensure that [pipe_mode] is set first after initializing a [ServerOptions]. For example: ```rust let mut opts = ServerOptions::new(); opts.pipe_mode(PipeMode::Message); opts.reject_remote_clients(true); ``` [ServerOptions]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html [pipe_mode]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html#method.pipe_mode [reject_remote_clients]: https://docs.rs/tokio/latest/tokio/net/windows/named_pipe/struct.ServerOptions.html#method.reject_remote_clients
Affected packages (3)
- crates.io/tokio>= 1.7.0, < 1.18.4
- crates.io/tokio>= 1.7.0, < 1.18.4, >= 1.19.0, < 1.20.3, >= 1.21.0, < 1.23.1
- Debian/rust-tokiofrom 0, < 1.24.2-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-22466
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-22466
- PATCHhttps://crates.io/crates/tokio
- PATCHhttps://github.com/tokio-rs/tokio
- WEBhttps://github.com/tokio-rs/tokio/pull/5336
- WEBhttps://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1
- WEBhttps://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7
- WEBhttps://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients
- WEBhttps://rustsec.org/advisories/RUSTSEC-2023-0001.html