CVE-2024-22017

Advisory lineage Upstream: 0 Downstream: 7

Downstream

OPENSUSE-SU-2024:13697-1 OPENSUSE-SU-2024:13698-1 OPENSUSE-SU-2024:13972-1 RHSA-2024:1687 RHSA-2024:1688 SUSE-SU-2024:0643-1

Deferred

Published: 19 Mar 2024, 04:32

Last modified:30 Apr 2025, 22:25

Vulnerability Summary

Overall Risk (default)

medium

29/100

CVSS Score

7.3 HIGH

v3.0 (cve.org)

EPSS Score

0.88% LOW

1% probability +0.24%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

19 Mar 2024, 04:32

Published

Vulnerability first disclosed

30 Apr 2025, 22:25

Last Modified

Vulnerability information updated

Description

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

CVSS Metrics

v3.0•HIGH•Score: 7.3CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

EPSS Trends

Current EPSS score: 0.88%• Percentile: 76%

Techniques & Countermeasures

CWE-250•Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Affected Systems

nodejs•node
≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 14.0, < 14.* | ≥ 15.0, < 15.* | ≥ 16.0, < 16.* | ≥ 17.0, < 17.* | ≥ 19.0, < 19.* | ≥ 20.0, < 20.11.1 | ≥ 21.0, < 21.6.2