CVE-2024-22017

Publication date 19 March 2024

Last updated 7 September 2024

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.

Why is this CVE high priority?

setting priority based on oss-security report

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nodejs	24.04 LTS noble	Needs evaluation
	23.10 mantic	Ignored
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#setuid-does-not-drop-all-privileges-due-to-io_uring-cve-2024-22017---high
https://www.cve.org/CVERecord?id=CVE-2024-22017
https://www.openwall.com/lists/oss-security/2024/03/11/1