Vulnerability Description
The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libuv | Libuv | < 1.7.4 |
| Microsoft | Windows Server 2003 | - |
| Microsoft | Windows Xp | - |
| Nodejs | Node.Js | >= 0.10.0, < 0.10.46 |
Related Weaknesses (CWE)
References
- https://github.com/libuv/libuv/issues/515PatchThird Party Advisory
- https://github.com/libuv/libuv/pull/516PatchThird Party Advisory
- https://github.com/nodejs/node/pull/2723Third Party Advisory
- https://groups.google.com/forum/#%21msg/libuv/KyNnGEXR0OA/NWb605ev2LUJ
- https://groups.google.com/forum/#%21topic/libuv/WO2cl9zasN8
- https://github.com/libuv/libuv/issues/515PatchThird Party Advisory
- https://github.com/libuv/libuv/pull/516PatchThird Party Advisory
- https://github.com/nodejs/node/pull/2723Third Party Advisory
- https://groups.google.com/forum/#%21msg/libuv/KyNnGEXR0OA/NWb605ev2LUJ
- https://groups.google.com/forum/#%21topic/libuv/WO2cl9zasN8
FAQ
What is CVE-2014-9748?
CVE-2014-9748 is a vulnerability with a CVSS score of 8.1 (HIGH). The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to caus...
How severe is CVE-2014-9748?
CVE-2014-9748 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9748?
Check the references section above for vendor advisories and patch information. Affected products include: Libuv Libuv, Microsoft Windows Server 2003, Microsoft Windows Xp, Nodejs Node.Js.