#VU69546 Race condition in tokio - CVE-2021-45710


Vulnerability identifier: #VU69546

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-45710

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
tokio
Universal components / Libraries / Programming Languages & Components

Vendor: tokio-rs

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a race condition. A remote attacker can exploit the race and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

tokio: before 1.8.4, 1.13.1, 1.8.4, 1.8.4

External links
https://rustsec.org/advisories/RUSTSEC-2021-0124.html
https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tokio/RUSTSEC-2021-0124.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for sccache
SUSE update for 389-ds
SUSE update for sccache
SUSE update for 389-ds
SUSE update for rustup
Remote code execution in tokio crate for rust