CVE-2024-22017

CWE-250CWE-269Improper Privilege Management7 documents7 sources
Severity
7.3HIGH
EPSS
0.9%
top 24.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedMar 19

Description

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:LExploitability: 1.5 | Impact: 5.3

Affected Packages2 packages

CVEListV5nodejs/node4.04.*+16
Ubuntunodejs< 20.18.1+dfsg-1ubuntu2

🔴Vulnerability Details

3
CVEList
CVE-2024-22017: setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid()2024-03-19
GHSA
GHSA-vr4q-vx84-9g5x: setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid()2024-03-19
OSV
CVE-2024-22017: setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid()2024-03-19

📋Vendor Advisories

3
Microsoft
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped suc2024-03-12
Red Hat
nodejs: setuid() does not drop all privileges due to io_uring2024-02-19
Debian
CVE-2024-22017: nodejs - setuid() does not affect libuv's internal io_uring operations if initialized bef...2024
CVE-2024-22017 (HIGH CVSS 7.3) | setuid() does not affect libuv's in | cvebase.io