{
  "version": "1",
  "package": [
    {
      "name": "libuv",
      "layer": "meta",
      "version": "1.48.0",
      "products": [
        {
          "product": "libuv",
          "cvesInRecord": "Yes"
        }
      ],
      "issue": [
        {
          "id": "CVE-2014-9748",
          "summary": "The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.",
          "scorev2": "6.8",
          "scorev3": "8.1",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9748"
        },
        {
          "id": "CVE-2015-0278",
          "summary": "libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors.",
          "scorev2": "10.0",
          "scorev3": "0.0",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-0278"
        },
        {
          "id": "CVE-2024-24806",
          "summary": "libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "scorev2": "0.0",
          "scorev3": "7.3",
          "vector": "NETWORK",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-24806"
        }
      ]
    }
  ]
}