CVE-2015-0278
Mandriva Linux Security Advisory 2015-228
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors.
libuv anterior a 0.10.34 no cancela correctamente los privilegios de grupo, lo que permite a atacantes dependientes de contexto ganar privilegios a través de vectores no especificados.
It was found that libuv does not call setgoups before calling setuid/setgid. This may potentially allow an attacker to gain elevated privileges. The libuv library is bundled with nodejs, and a fixed version of libuv is included with nodejs as of version 0.10.37. The nodejs package has been updated to version 0.10.38 to fix this issue, as well as several other bugs.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-11-18 CVE Reserved
- 2015-05-06 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-273: Improper Check for Dropped Privileges
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://advisories.mageia.org/MGASA-2015-0186.html | Third Party Advisory | |
| https://github.com/libuv/libuv/pull/215 | Third Party Advisory | |
| https://groups.google.com/forum/#%21msg/libuv/0JZxwLMtsMI/jraczskYWWQJ | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c | 2023-02-12 |
| URL | Date | SRC |
|---|---|---|
| http://www.mandriva.com/security/advisories?name=MDVSA-2015:228 | 2023-02-12 | |
| https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html | 2023-02-12 | |
| https://security.gentoo.org/glsa/201611-10 | 2023-02-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 21 Search vendor "Fedoraproject" for product "Fedora" and version "21" | - |
Affected
| ||||||
| Libuv Project Search vendor "Libuv Project" | Libuv Search vendor "Libuv Project" for product "Libuv" | <= 0.10.33 Search vendor "Libuv Project" for product "Libuv" and version " <= 0.10.33" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | < 0.10.37 Search vendor "Nodejs" for product "Node.js" and version " < 0.10.37" | - |
Affected
| ||||||