Privilege Escalation Vulnerability in Node.js by Joyent
CVE-2024-22017

7.3HIGH

Key Information:

Vendor: Node.js
Status: Node.js
Vendor: CVE Published:; 19 March 2024

What is CVE-2024-22017?

A vulnerability exists in Node.js affecting versions 18.18.0 and higher where the internal io_uring operations of libuv are not correctly influenced by the setuid() call. This flaw permits processes to execute privileged operations even after the intended privilege drop has occurred, representing a significant risk to applications leveraging Node.js for secure operations. Developers and system administrators are advised to review their versions of Node.js and apply necessary patches or mitigations to safeguard against unauthorized access and potential exploitation.

Affected Version(s)

Node.js 18.18.0

Node.js 20.4.0

Node.js 21.6.1

References

https://hackerone.com/reports/2170226

http://www.openwall.com/lists/oss-security/2024/03/11/1

https://security.netapp.com/advisory/ntap-20240517-0007/

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2024
Vulnerability Reserved
Jan 4, 2024