All the vulnerabilites related to Apache Software Foundation - Apache CouchDB
cve-2018-11769
Vulnerability from cvelistv5
Published
2018-08-08 15:00
Modified
2024-09-16 17:59
Severity ?
EPSS score ?
Summary
CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin user to gain arbitrary remote code execution, bypassing CVE-2017-12636 and CVE-2018-8007.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/105046 | vdb-entry, x_refsource_BID | |
https://security.gentoo.org/glsa/201812-06 | vendor-advisory, x_refsource_GENTOO | |
https://lists.apache.org/thread.html/1052ad7a1b32b9756df4f7860f5cb5a96b739f444117325a19a4bf75%40%3Cdev.couchdb.apache.org%3E | x_refsource_MISC | |
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us | x_refsource_CONFIRM | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: Apache Tomcat 1.x and =2.1.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T08:17:09.231Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "105046", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/105046" }, { "name": "GLSA-201812-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201812-06" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/1052ad7a1b32b9756df4f7860f5cb5a96b739f444117325a19a4bf75%40%3Cdev.couchdb.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache Tomcat 1.x and =2.1.2" } ] } ], "datePublic": "2018-08-08T00:00:00", "descriptions": [ { "lang": "en", "value": "CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system\u0027s user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin user to gain arbitrary remote code execution, bypassing CVE-2017-12636 and CVE-2018-8007." } ], "problemTypes": [ { "descriptions": [ { "description": "Remote Code Execution", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-16T23:06:07", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "105046", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/105046" }, { "name": "GLSA-201812-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201812-06" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/1052ad7a1b32b9756df4f7860f5cb5a96b739f444117325a19a4bf75%40%3Cdev.couchdb.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-08-08T00:00:00", "ID": "CVE-2018-11769", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache CouchDB", "version": { "version_data": [ { "version_value": "Apache Tomcat 1.x and =2.1.2" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system\u0027s user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin user to gain arbitrary remote code execution, bypassing CVE-2017-12636 and CVE-2018-8007." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Remote Code Execution" } ] } ] }, "references": { "reference_data": [ { "name": "105046", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105046" }, { "name": "GLSA-201812-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201812-06" }, { "name": "https://lists.apache.org/thread.html/1052ad7a1b32b9756df4f7860f5cb5a96b739f444117325a19a4bf75@%3Cdev.couchdb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/1052ad7a1b32b9756df4f7860f5cb5a96b739f444117325a19a4bf75@%3Cdev.couchdb.apache.org%3E" }, { "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-11769", "datePublished": "2018-08-08T15:00:00Z", "dateReserved": "2018-06-05T00:00:00", "dateUpdated": "2024-09-16T17:59:21.214Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-8742
Vulnerability from cvelistv5
Published
2018-02-12 17:00
Modified
2024-09-17 00:26
Severity ?
EPSS score ?
Summary
The Windows installer that the Apache CouchDB team provides was vulnerable to local privilege escalation. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service launcher, or CouchDB batch or binary files. A subsequent service or server restart will then run that binary with administrator privilege. This issue affected CouchDB 2.0.0 (Windows platform only) and was addressed in CouchDB 2.0.0.1.
References
▼ | URL | Tags |
---|---|---|
http://mail-archives.apache.org/mod_mbox/couchdb-dev/201612.mbox/%3C825F65E1-0E5F-4E1F-8053-CF2C6200C526%40apache.org%3E | mailing-list, x_refsource_MLIST | |
https://www.exploit-db.com/exploits/40865/ | exploit, x_refsource_EXPLOIT-DB | |
http://www.securityfocus.com/bid/94766 | vdb-entry, x_refsource_BID |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: 2.0.0 (Windows platform only) |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T02:34:59.611Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[couchdb-dev] 20161208 http://mail-archives.apache.org/mod_mbox/couchdb-dev/201612.mbox/%3C825F65E1-0E5F-4E1F-8053-CF2C6200C526%40apache.org%3E", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://mail-archives.apache.org/mod_mbox/couchdb-dev/201612.mbox/%3C825F65E1-0E5F-4E1F-8053-CF2C6200C526%40apache.org%3E" }, { "name": "40865", "tags": [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred" ], "url": "https://www.exploit-db.com/exploits/40865/" }, { "name": "94766", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/94766" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "2.0.0 (Windows platform only)" } ] } ], "datePublic": "2016-12-08T00:00:00", "descriptions": [ { "lang": "en", "value": "The Windows installer that the Apache CouchDB team provides was vulnerable to local privilege escalation. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service launcher, or CouchDB batch or binary files. A subsequent service or server restart will then run that binary with administrator privilege. This issue affected CouchDB 2.0.0 (Windows platform only) and was addressed in CouchDB 2.0.0.1." } ], "problemTypes": [ { "descriptions": [ { "description": "File permissions", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-02-13T10:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "[couchdb-dev] 20161208 http://mail-archives.apache.org/mod_mbox/couchdb-dev/201612.mbox/%3C825F65E1-0E5F-4E1F-8053-CF2C6200C526%40apache.org%3E", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://mail-archives.apache.org/mod_mbox/couchdb-dev/201612.mbox/%3C825F65E1-0E5F-4E1F-8053-CF2C6200C526%40apache.org%3E" }, { "name": "40865", "tags": [ "exploit", "x_refsource_EXPLOIT-DB" ], "url": "https://www.exploit-db.com/exploits/40865/" }, { "name": "94766", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/94766" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2016-12-08T00:00:00", "ID": "CVE-2016-8742", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache CouchDB", "version": { "version_data": [ { "version_value": "2.0.0 (Windows platform only)" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The Windows installer that the Apache CouchDB team provides was vulnerable to local privilege escalation. All files in the install inherit the file permissions of the parent directory and therefore a non-privileged user can substitute any executable for the nssm.exe service launcher, or CouchDB batch or binary files. A subsequent service or server restart will then run that binary with administrator privilege. This issue affected CouchDB 2.0.0 (Windows platform only) and was addressed in CouchDB 2.0.0.1." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "File permissions" } ] } ] }, "references": { "reference_data": [ { "name": "[couchdb-dev] 20161208 http://mail-archives.apache.org/mod_mbox/couchdb-dev/201612.mbox/%3C825F65E1-0E5F-4E1F-8053-CF2C6200C526%40apache.org%3E", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/couchdb-dev/201612.mbox/%3C825F65E1-0E5F-4E1F-8053-CF2C6200C526%40apache.org%3E" }, { "name": "40865", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/40865/" }, { "name": "94766", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94766" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2016-8742", "datePublished": "2018-02-12T17:00:00Z", "dateReserved": "2016-10-18T00:00:00", "dateUpdated": "2024-09-17T00:26:42.742Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-12636
Vulnerability from cvelistv5
Published
2017-11-14 20:00
Modified
2024-09-16 18:48
Severity ?
EPSS score ?
Summary
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
References
▼ | URL | Tags |
---|---|---|
https://www.exploit-db.com/exploits/45019/ | exploit, x_refsource_EXPLOIT-DB | |
https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://www.exploit-db.com/exploits/44913/ | exploit, x_refsource_EXPLOIT-DB | |
https://security.gentoo.org/glsa/201711-16 | vendor-advisory, x_refsource_GENTOO | |
https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html | mailing-list, x_refsource_MLIST | |
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: 1.2.0 to 1.6.1 Version: 2.0.0 to 2.1.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T18:43:56.454Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "45019", "tags": [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred" ], "url": "https://www.exploit-db.com/exploits/45019/" }, { "name": "[dev] 20171114 Apache CouchDB CVE-2017-12635 and CVE-2017-12636", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E" }, { "name": "44913", "tags": [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred" ], "url": "https://www.exploit-db.com/exploits/44913/" }, { "name": "GLSA-201711-16", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201711-16" }, { "name": "[debian-lts-announce] 20180121 [SECURITY] [DLA 1252-1] couchdb security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "1.2.0 to 1.6.1" }, { "status": "affected", "version": "2.0.0 to 2.1.0" } ] } ], "datePublic": "2017-11-14T00:00:00", "descriptions": [ { "lang": "en", "value": "CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet." } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-05-13T18:06:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "45019", "tags": [ "exploit", "x_refsource_EXPLOIT-DB" ], "url": "https://www.exploit-db.com/exploits/45019/" }, { "name": "[dev] 20171114 Apache CouchDB CVE-2017-12635 and CVE-2017-12636", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E" }, { "name": "44913", "tags": [ "exploit", "x_refsource_EXPLOIT-DB" ], "url": "https://www.exploit-db.com/exploits/44913/" }, { "name": "GLSA-201711-16", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201711-16" }, { "name": "[debian-lts-announce] 20180121 [SECURITY] [DLA 1252-1] couchdb security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-11-14T00:00:00", "ID": "CVE-2017-12636", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache CouchDB", "version": { "version_data": [ { "version_value": "1.2.0 to 1.6.1" }, { "version_value": "2.0.0 to 2.1.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "45019", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/45019/" }, { "name": "[dev] 20171114 Apache CouchDB CVE-2017-12635 and CVE-2017-12636", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E" }, { "name": "44913", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/44913/" }, { "name": "GLSA-201711-16", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201711-16" }, { "name": "[debian-lts-announce] 20180121 [SECURITY] [DLA 1252-1] couchdb security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html" }, { "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-12636", "datePublished": "2017-11-14T20:00:00Z", "dateReserved": "2017-08-07T00:00:00", "dateUpdated": "2024-09-16T18:48:31.205Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-24706
Vulnerability from cvelistv5
Published
2022-04-26 00:00
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: Apache CouchDB < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:20:50.213Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00" }, { "tags": [ "x_transferred" ], "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html" }, { "name": "[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1" }, { "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1" }, { "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3" }, { "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4" }, { "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2" }, { "tags": [ "x_transferred" ], "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html" }, { "tags": [ "x_transferred" ], "url": "https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd" }, { "tags": [ "x_transferred" ], "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "3.2.1", "status": "affected", "version": "Apache CouchDB", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "The Apache CouchDB Team would like to thank Alex Vandiver \u003calexmv@zulip.com\u003e for the report of this issue." } ], "descriptions": [ { "lang": "en", "value": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations." } ], "metrics": [ { "other": { "content": { "other": "critical" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-02T00:00:00", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00" }, { "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html" }, { "name": "[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1" }, { "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1" }, { "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3" }, { "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4" }, { "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2" }, { "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html" }, { "url": "https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd" }, { "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Remote Code Execution Vulnerability in Packaging", "workarounds": [ { "lang": "en", "value": "CouchDB 3.2.2 and onwards will refuse to start with the former default\nErlang cookie value of `monster`. Installations that upgrade to this\nversions are forced to choose a different value.\n\nIn addition, all binary packages have been updated to bind `epmd` as\nwell as the CouchDB distribution port to `127.0.0.1` and/or `::1`\nrespectively." } ], "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-24706", "datePublished": "2022-04-26T00:00:00", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:50.213Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-26268
Vulnerability from cvelistv5
Published
2023-05-02 20:06
Modified
2024-10-15 18:11
Severity ?
EPSS score ?
Summary
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions:
* validate_doc_update
* list
* filter
* filter views (using view functions as filters)
* rewrite
* update
This doesn't affect map/reduce or search (Dreyfus) index functions.
Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3).
Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/r2wvjfysg3d92lhhjd1qh3wfr8mlp0pp | vendor-advisory | |
https://docs.couchdb.org/en/stable/cve/2023-26268.html | release-notes | |
https://lists.apache.org/thread/ldkqs0nhpmho26bdxf4fon7w75hsq5gl | vendor-advisory |
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: 0 ≤ 3.3.1 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T11:46:24.314Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/r2wvjfysg3d92lhhjd1qh3wfr8mlp0pp" }, { "tags": [ "release-notes", "x_transferred" ], "url": "https://docs.couchdb.org/en/stable/cve/2023-26268.html" }, { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/ldkqs0nhpmho26bdxf4fon7w75hsq5gl" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-26268", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-15T18:11:10.609683Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-15T18:11:19.560Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "affected", "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "3.3.1", "status": "affected", "version": "0", "versionType": "semver" } ] }, { "defaultStatus": "unaffected", "product": "IBM Cloudant", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "8349", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Nick Vatamaniuc vatamane@apache.org" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDesign documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evalidate_doc_update\u003cbr\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003elist\u003cbr\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efilter\u003cbr\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efilter views (using view functions as filters)\u003cbr\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003er\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eewrite\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupdate\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/span\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis doesn\u0027t affect map/reduce or search (Dreyfus) index functions.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUsers are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3).\u003c/span\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWorkaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.\u003c/span\u003e\u003c/div\u003e" } ], "value": "Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions:\n * validate_doc_update\n\n * list\n\n * filter\n\n * filter views (using view functions as filters)\n\n * rewrite\n\n * update\n\n\n\nThis doesn\u0027t affect map/reduce or search (Dreyfus) index functions.\n\nUsers are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3).\n\nWorkaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-02T20:06:09.352Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/r2wvjfysg3d92lhhjd1qh3wfr8mlp0pp" }, { "tags": [ "release-notes" ], "url": "https://docs.couchdb.org/en/stable/cve/2023-26268.html" }, { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/ldkqs0nhpmho26bdxf4fon7w75hsq5gl" } ], "source": { "discovery": "INTERNAL" }, "title": "Apache CouchDB, IBM Cloudant: Information sharing via couchjs processes", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-26268", "datePublished": "2023-05-02T20:06:09.352Z", "dateReserved": "2023-02-21T08:19:47.658Z", "dateUpdated": "2024-10-15T18:11:19.560Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-17188
Vulnerability from cvelistv5
Published
2019-01-02 14:00
Modified
2024-08-05 10:39
Severity ?
EPSS score ?
Summary
Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other vulnerabilities, it allowed full system entry for unauthenticated users. Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, the CouchDB development team decided to make changes to avoid this entire class of vulnerabilities.
References
▼ | URL | Tags |
---|---|---|
https://blog.couchdb.org/2018/12/17/cve-2018-17188/ | x_refsource_MISC | |
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us | x_refsource_CONFIRM | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: All |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T10:39:59.575Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://blog.couchdb.org/2018/12/17/cve-2018-17188/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "All" } ] } ], "datePublic": "2019-01-02T00:00:00", "descriptions": [ { "lang": "en", "value": "Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other vulnerabilities, it allowed full system entry for unauthenticated users. Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, the CouchDB development team decided to make changes to avoid this entire class of vulnerabilities." } ], "problemTypes": [ { "descriptions": [ { "description": "Remote Privilege Escalations", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-16T23:06:05", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://blog.couchdb.org/2018/12/17/cve-2018-17188/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2018-17188", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache CouchDB", "version": { "version_data": [ { "version_value": "All" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other vulnerabilities, it allowed full system entry for unauthenticated users. Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, the CouchDB development team decided to make changes to avoid this entire class of vulnerabilities." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Remote Privilege Escalations" } ] } ] }, "references": { "reference_data": [ { "name": "https://blog.couchdb.org/2018/12/17/cve-2018-17188/", "refsource": "MISC", "url": "https://blog.couchdb.org/2018/12/17/cve-2018-17188/" }, { "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-17188", "datePublished": "2019-01-02T14:00:00", "dateReserved": "2018-09-19T00:00:00", "dateUpdated": "2024-08-05T10:39:59.575Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-45725
Vulnerability from cvelistv5
Published
2023-12-13 08:02
Modified
2024-08-02 20:29
Severity ?
EPSS score ?
Summary
Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.
These design document functions are:
* list
* show
* rewrite
* update
An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function.
For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.
Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg | vendor-advisory | |
https://docs.couchdb.org/en/stable/cve/2023-45725.html | release-notes |
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: 0 ≤ 3.3.2 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T20:29:31.714Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg" }, { "tags": [ "release-notes", "x_transferred" ], "url": "https://docs.couchdb.org/en/stable/cve/2023-45725.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "affected", "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "3.3.2", "status": "affected", "version": "0", "versionType": "semver" } ] }, { "defaultStatus": "unaffected", "product": "IBM Cloudant", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "8413", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Natan Nehorai from the JFrog Vulnerability Research Team" }, { "lang": "en", "type": "reporter", "value": "Or Peles from the JFrog Vulnerability Research Team" }, { "lang": "en", "type": "finder", "value": "Richard Ellis from IBM/Cloudant Team" }, { "lang": "en", "type": "finder", "value": "Mike Rhodes from IBM/Cloudant Team" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.\u003cbr\u003e\u003cbr\u003eThese design document functions are:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u0026nbsp; list\u003c/li\u003e\u003cli\u003e\u0026nbsp; show\u003c/li\u003e\u003cli\u003e\u0026nbsp; rewrite\u003c/li\u003e\u003cli\u003e\u0026nbsp; update\u003c/li\u003e\u003c/ul\u003eAn attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an \"update\" function.\u003cbr\u003e\u003cbr\u003eFor the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.\u003cbr\u003e\u003cbr\u003eWorkaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object\u0027s headers\u003cbr\u003e" } ], "value": "Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.\n\nThese design document functions are:\n * \u00a0 list\n * \u00a0 show\n * \u00a0 rewrite\n * \u00a0 update\n\nAn attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an \"update\" function.\n\nFor the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.\n\nWorkaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object\u0027s headers\n" } ], "metrics": [ { "other": { "content": { "text": "moderate" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-13T08:02:17.326Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg" }, { "tags": [ "release-notes" ], "url": "https://docs.couchdb.org/en/stable/cve/2023-45725.html" } ], "source": { "discovery": "EXTERNAL" }, "title": "Apache CouchDB, IBM Cloudant: Privilege Escalation Using _design Documents", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-45725", "datePublished": "2023-12-13T08:02:17.326Z", "dateReserved": "2023-10-10T21:35:31.623Z", "dateUpdated": "2024-08-02T20:29:31.714Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-8007
Vulnerability from cvelistv5
Published
2018-07-11 13:00
Modified
2024-09-16 17:04
Severity ?
EPSS score ?
Summary
Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: < 1.7.2 Version: 2.0.0 to 2.1.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T06:46:11.455Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[couchdb-announce] 20180710 Apache CouchDB 2.1.2 released", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3c1439409216.6221.1531246856676.JavaMail.Joan%40RITA%3e" }, { "name": "GLSA-201812-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201812-06" }, { "name": "[couchdb-announce] 20180710 Apache CouchDB 1.7.2 released", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3C1699016538.6219.1531246785603.JavaMail.Joan%40RITA%3E" }, { "name": "104741", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/104741" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://blog.couchdb.org/2018/07/10/cve-2018-8007/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "\u003c 1.7.2" }, { "status": "affected", "version": "2.0.0 to 2.1.1" } ] } ], "datePublic": "2018-07-10T00:00:00", "descriptions": [ { "lang": "en", "value": "Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system\u0027s user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2." } ], "problemTypes": [ { "descriptions": [ { "description": "Administrative Privilege Escalation", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-16T23:06:06", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "[couchdb-announce] 20180710 Apache CouchDB 2.1.2 released", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3c1439409216.6221.1531246856676.JavaMail.Joan%40RITA%3e" }, { "name": "GLSA-201812-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201812-06" }, { "name": "[couchdb-announce] 20180710 Apache CouchDB 1.7.2 released", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3C1699016538.6219.1531246785603.JavaMail.Joan%40RITA%3E" }, { "name": "104741", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/104741" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://blog.couchdb.org/2018/07/10/cve-2018-8007/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-07-10T00:00:00", "ID": "CVE-2018-8007", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache CouchDB", "version": { "version_data": [ { "version_value": "\u003c 1.7.2" }, { "version_value": "2.0.0 to 2.1.1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system\u0027s user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Administrative Privilege Escalation" } ] } ] }, "references": { "reference_data": [ { "name": "[couchdb-announce] 20180710 Apache CouchDB 2.1.2 released", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3c1439409216.6221.1531246856676.JavaMail.Joan@RITA%3e" }, { "name": "GLSA-201812-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201812-06" }, { "name": "[couchdb-announce] 20180710 Apache CouchDB 1.7.2 released", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3C1699016538.6219.1531246785603.JavaMail.Joan%40RITA%3E" }, { "name": "104741", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104741" }, { "name": "https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/", "refsource": "MISC", "url": "https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/" }, { "name": "https://blog.couchdb.org/2018/07/10/cve-2018-8007/", "refsource": "CONFIRM", "url": "https://blog.couchdb.org/2018/07/10/cve-2018-8007/" }, { "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" }, { "name": "FEDORA-2020-83f513fd7e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/" }, { "name": "FEDORA-2020-73bd8167a0", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-8007", "datePublished": "2018-07-11T13:00:00Z", "dateReserved": "2018-03-09T00:00:00", "dateUpdated": "2024-09-16T17:04:00.488Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-38295
Vulnerability from cvelistv5
Published
2021-10-14 19:55
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2
References
▼ | URL | Tags |
---|---|---|
https://docs.couchdb.org/en/stable/cve/2021-38295.html | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: Apache CouchDB < 3.1.2 |
||||
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T01:37:16.335Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://docs.couchdb.org/en/stable/cve/2021-38295.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "3.1.2", "status": "affected", "version": "Apache CouchDB", "versionType": "custom" } ] }, { "product": "IBM Cloudant", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "8201", "status": "affected", "version": "IBM Cloudant", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "This issue was identified by Cory Sabol of Secure Ideas." } ], "descriptions": [ { "lang": "en", "value": "In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2" } ], "metrics": [ { "other": { "content": { "other": "low" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "Privilege escalation", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-10-14T19:55:12", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://docs.couchdb.org/en/stable/cve/2021-38295.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Privilege escalation vulnerability when using HTML attachments", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-38295", "STATE": "PUBLIC", "TITLE": "Privilege escalation vulnerability when using HTML attachments" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache CouchDB", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "Apache CouchDB", "version_value": "3.1.2" } ] } } ] }, "vendor_name": "Apache Software Foundation" }, { "product": { "product_data": [ { "product_name": "IBM Cloudant", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "IBM Cloudant", "version_value": "8201" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "This issue was identified by Cory Sabol of Secure Ideas." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ { "other": "low" } ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Privilege escalation" } ] } ] }, "references": { "reference_data": [ { "name": "https://docs.couchdb.org/en/stable/cve/2021-38295.html", "refsource": "MISC", "url": "https://docs.couchdb.org/en/stable/cve/2021-38295.html" } ] }, "source": { "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-38295", "datePublished": "2021-10-14T19:55:12", "dateReserved": "2021-08-09T00:00:00", "dateUpdated": "2024-08-04T01:37:16.335Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-12635
Vulnerability from cvelistv5
Published
2017-11-14 20:00
Modified
2024-09-17 01:31
Severity ?
EPSS score ?
Summary
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
References
▼ | URL | Tags |
---|---|---|
https://www.exploit-db.com/exploits/44498/ | exploit, x_refsource_EXPLOIT-DB | |
https://www.exploit-db.com/exploits/45019/ | exploit, x_refsource_EXPLOIT-DB | |
https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://security.gentoo.org/glsa/201711-16 | vendor-advisory, x_refsource_GENTOO | |
https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html | mailing-list, x_refsource_MLIST | |
http://www.securityfocus.com/bid/101868 | vdb-entry, x_refsource_BID | |
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache CouchDB |
Version: 1.2.0 to 1.6.1 Version: 2.0.0 to 2.1.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T18:43:56.416Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "44498", "tags": [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred" ], "url": "https://www.exploit-db.com/exploits/44498/" }, { "name": "45019", "tags": [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred" ], "url": "https://www.exploit-db.com/exploits/45019/" }, { "name": "[dev] 20171114 Apache CouchDB CVE-2017-12635 and CVE-2017-12636", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E" }, { "name": "GLSA-201711-16", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201711-16" }, { "name": "[debian-lts-announce] 20180121 [SECURITY] [DLA 1252-1] couchdb security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html" }, { "name": "101868", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/101868" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache CouchDB", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "1.2.0 to 1.6.1" }, { "status": "affected", "version": "2.0.0 to 2.1.0" } ] } ], "datePublic": "2017-11-14T00:00:00", "descriptions": [ { "lang": "en", "value": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for \u0027roles\u0027 used for access control within the database, including the special case \u0027_admin\u0027 role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two \u0027roles\u0027 keys are available in the JSON, the second one will be used for authorising the document write, but the first \u0027roles\u0027 key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges." } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-05-13T18:06:09", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "44498", "tags": [ "exploit", "x_refsource_EXPLOIT-DB" ], "url": "https://www.exploit-db.com/exploits/44498/" }, { "name": "45019", "tags": [ "exploit", "x_refsource_EXPLOIT-DB" ], "url": "https://www.exploit-db.com/exploits/45019/" }, { "name": "[dev] 20171114 Apache CouchDB CVE-2017-12635 and CVE-2017-12636", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E" }, { "name": "GLSA-201711-16", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201711-16" }, { "name": "[debian-lts-announce] 20180121 [SECURITY] [DLA 1252-1] couchdb security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html" }, { "name": "101868", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/101868" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-11-14T00:00:00", "ID": "CVE-2017-12635", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache CouchDB", "version": { "version_data": [ { "version_value": "1.2.0 to 1.6.1" }, { "version_value": "2.0.0 to 2.1.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for \u0027roles\u0027 used for access control within the database, including the special case \u0027_admin\u0027 role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two \u0027roles\u0027 keys are available in the JSON, the second one will be used for authorising the document write, but the first \u0027roles\u0027 key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure" } ] } ] }, "references": { "reference_data": [ { "name": "44498", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/44498/" }, { "name": "45019", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/45019/" }, { "name": "[dev] 20171114 Apache CouchDB CVE-2017-12635 and CVE-2017-12636", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E" }, { "name": "GLSA-201711-16", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201711-16" }, { "name": "[debian-lts-announce] 20180121 [SECURITY] [DLA 1252-1] couchdb security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html" }, { "name": "101868", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101868" }, { "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03935en_us" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-12635", "datePublished": "2017-11-14T20:00:00Z", "dateReserved": "2017-08-07T00:00:00", "dateUpdated": "2024-09-17T01:31:53.828Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }