Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Tokio's reject_remote_clients configuration may get dropped when creating a Windows named pipe
Vulnerability Description
Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Vulnerability Type
初始化不恰当
Vulnerability Title
Tokio 安全漏洞
Vulnerability Description
Tokio是Rust编程语言的软件库。它提供了运行时和启用异步I / O的功能,从而允许与任务完成有关的并发性。 Tokio 存在安全漏洞,该漏洞源于其配置Windows命名管道服务器时,设置pipe_mode会把reject_remote_clients重置为false。如果应用程序之前已经将reject_remote_clients配置为true,这将有效地撤销配置。只有当命名管道的关联路径可以通过公共共享文件夹(SMB)访问时,远程客户端才能访问命名管道。以下版本受到影响:1.7.0版本至1.18.
CVSS Information
N/A
Vulnerability Type
N/A