{
  "threat_severity" : "Important",
  "public_date" : "2024-02-19T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: setuid() does not drop all privileges due to io_uring",
    "id" : "2265727",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2265727"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-269",
  "details" : [ "setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().\nThis allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid().\nThis vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.", "A flaw was found in Node.js, where the setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This issue allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid()." ],
  "statement" : "This vulnerability affects all users in active release lines 20.x, and 21.x.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-04-08T00:00:00Z",
    "advisory" : "RHSA-2024:1687",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:20-8090020240228165436.a75119d5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-08T00:00:00Z",
    "advisory" : "RHSA-2024:1688",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:20-9030020240229115828.rhel9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:16/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:18/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:18/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-22017\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22017" ],
  "name" : "CVE-2024-22017",
  "csaw" : false
}