CVE-2024-22017

EPSS 0.64%
Veröffentlicht 19.03.2024 05:15:10
Zuletzt bearbeitet 21.11.2024 08:55:24
Quelle support@hackerone.com
Teams Watchlist Login
Unerledigt Login

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().
This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellernodejs

≫

Produkt nodejs

Default Statusunknown

Version < 18.18.0

Version 18.0.0

Status affected

Version < 20.4.0

Version 20.0.0

Status affected

Version < 21.6.1

Version 21.0.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.64%	0.696

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
support@hackerone.com	7.3	1.5	5.3	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

CWE-250 Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

http://www.openwall.com/lists/oss-security/2024/03/11/1

https://hackerone.com/reports/2170226

https://security.netapp.com/advisory/ntap-20240517-0007/

https://nvd.nist.gov/vuln/detail/CVE-2024-22017

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-22017

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-22017

EUVD