cbcvebase.
CVE-2024-22017
published 2024-03-19

CVE-2024-22017: setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged…

high7.3CVSS 3.0
AVLACLPRHUINSCCLIHAL
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
debiannodejs
msrcazl3_libuv_1.46.0-1_on_azure_linux_3.0
msrcazl3_libuv_1.48.0-1_on_azure_linux_3.0
msrcazl3_nodejs_20.10.0-2_on_azure_linux_3.0
msrcazl3_nodejs_20.14.0-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
nodejsnode>= 10.0 < 10.*10.*
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.*12.*
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.*14.*
nodejsnode>= 15.0 < 15.*15.*
nodejsnode>= 16.0 < 16.*16.*
nodejsnode>= 17.0 < 17.*17.*
nodejsnode>= 19.0 < 19.*19.*
nodejsnode>= 20.0 < 20.11.120.11.1
nodejsnode>= 21.0 < 21.6.221.6.2
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*

CVSS provenance

nvdv3.07.3HIGHCVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L
osv7.3HIGH