setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().
This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
Metrics
Affected Vendors & Products
References
History
Thu, 15 Aug 2024 20:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-250 |
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2024-03-19T04:32:34.137Z
Updated: 2024-08-15T18:17:49.440Z
Reserved: 2024-01-04T01:04:06.573Z
Link: CVE-2024-22017
Vulnrichment
Updated: 2024-08-01T22:35:34.492Z
NVD
Status : Awaiting Analysis
Published: 2024-03-19T05:15:10.073
Modified: 2024-08-15T19:35:04.510
Link: CVE-2024-22017
Redhat