CVE-2024-22017

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions: Node.js versions 18.18.0 and later Node.js versions 20.4.0 and later Node.js versions 21 and later

Description: The issue is related to the setuid() function not affecting libuv's internal io uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). The vulnerability may be exploited to elevate privileges.

Recommendations: For Node.js versions 18.18.0 and later: Update to a version that includes a fix for this issue. For Node.js versions 20.4.0 and later: Update to a version that includes a fix for this issue. For Node.js versions 21 and later: Update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the use of setuid() and libuv's internal io uring operations until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-250CWE-270

Related Identifiers

ALSA-2024:1687

ALSA-2024:1688

ALT-PU-2024-3054

AZL-35886

AZL-35899

BDU:2024-04313

BIT-NODE-2024-22017

BIT-NODE-MIN-2024-22017

CESA-2024_1687

CVE-2024-22017

OPENSUSE-SU-2024:13697-1

OPENSUSE-SU-2024:13698-1

OPENSUSE-SU-2024:13972-1

RHSA-2024:1687

RHSA-2024:1688

RHSA-2024_1687

RHSA-2024_1688

RLSA-2024:1687

RLSA-2024:1688

SUSE-SU-2024:0643-1

Affected Products

Alt Linux

Almalinux

Centos

Node.Js

Red Hat

Red Os

Rocky Linux

Suse

CVE-2024-22017

Weakness Enumeration

Related Identifiers

Affected Products

References · 94