Vulnerability Description
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://hackerone.com/reports/2170226
- https://security.netapp.com/advisory/ntap-20240517-0007/
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://hackerone.com/reports/2170226
- https://security.netapp.com/advisory/ntap-20240517-0007/
FAQ
What is CVE-2024-22017?
CVE-2024-22017 is a vulnerability with a CVSS score of 7.3 (HIGH). setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped suc...
How severe is CVE-2024-22017?
CVE-2024-22017 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-22017?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.