CVE-2023-45725 (GCVE-0-2023-45725)

Vulnerability from cvelistv5 – Published: 2023-12-13 08:02 – Updated: 2024-08-02 20:29
VLAI?
Summary
Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: *   list *   show *   rewrite *   update An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function. For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document. Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers
Severity ?
No CVSS data available.
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache CouchDB Affected: 0 , ≤ 3.3.2 (semver)
Create a notification for this product.
Credits
Natan Nehorai from the JFrog Vulnerability Research Team Or Peles from the JFrog Vulnerability Research Team Richard Ellis from IBM/Cloudant Team Mike Rhodes from IBM/Cloudant Team
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:29:31.714Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg"
          },
          {
            "tags": [
              "release-notes",
              "x_transferred"
            ],
            "url": "https://docs.couchdb.org/en/stable/cve/2023-45725.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Apache CouchDB",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.3.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "IBM Cloudant",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "8413",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Natan Nehorai from the JFrog Vulnerability Research Team"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Or Peles from the JFrog Vulnerability Research Team"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Richard Ellis from IBM/Cloudant Team"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Mike Rhodes from IBM/Cloudant Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.\u003cbr\u003e\u003cbr\u003eThese design document functions are:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u0026nbsp; list\u003c/li\u003e\u003cli\u003e\u0026nbsp; show\u003c/li\u003e\u003cli\u003e\u0026nbsp; rewrite\u003c/li\u003e\u003cli\u003e\u0026nbsp; update\u003c/li\u003e\u003c/ul\u003eAn attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an \"update\" function.\u003cbr\u003e\u003cbr\u003eFor the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.\u003cbr\u003e\u003cbr\u003eWorkaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object\u0027s headers\u003cbr\u003e"
            }
          ],
          "value": "Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.\n\nThese design document functions are:\n  *  \u00a0 list\n  *  \u00a0 show\n  *  \u00a0 rewrite\n  *  \u00a0 update\n\nAn attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an \"update\" function.\n\nFor the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.\n\nWorkaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object\u0027s headers\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-13T08:02:17.326Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://docs.couchdb.org/en/stable/cve/2023-45725.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache CouchDB, IBM Cloudant: Privilege Escalation Using _design Documents",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-45725",
    "datePublished": "2023-12-13T08:02:17.326Z",
    "dateReserved": "2023-10-10T21:35:31.623Z",
    "dateUpdated": "2024-08-02T20:29:31.714Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.3.2\", \"matchCriteriaId\": \"22748077-2553-46DD-A3C6-F4C1775C275E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.\\n\\nThese design document functions are:\\n  *  \\u00a0 list\\n  *  \\u00a0 show\\n  *  \\u00a0 rewrite\\n  *  \\u00a0 update\\n\\nAn attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an \\\"update\\\" function.\\n\\nFor the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.\\n\\nWorkaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object\u0027s headers\\n\"}, {\"lang\": \"es\", \"value\": \"Las funciones de dise\\u00f1o de documentos que reciben un objeto de solicitud http de usuario pueden exponer los encabezados de cookies de sesi\\u00f3n o de autorizaci\\u00f3n del usuario que accede al documento. Estas funciones del documento de dise\\u00f1o son: * lista * mostrar * reescribir * actualizar. Un atacante puede filtrar el componente de la sesi\\u00f3n utilizando una salida similar a HTML, insertar la sesi\\u00f3n como un recurso externo (como una imagen) o almacenar la credencial en un documento local con una funci\\u00f3n de \\\"actualizaci\\u00f3n\\\". Para que el ataque tenga \\u00e9xito, el atacante debe poder insertar los documentos de dise\\u00f1o en la base de datos y luego manipular a un usuario para que acceda a una funci\\u00f3n desde ese documento de dise\\u00f1o. Workaround: evite el uso de documentos de dise\\u00f1o de fuentes no confiables que puedan intentar acceder o manipular los encabezados de los objetos de solicitud.\"}]",
      "id": "CVE-2023-45725",
      "lastModified": "2024-11-21T08:27:16.050",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 5.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 3.6}]}",
      "published": "2023-12-13T08:15:50.190",
      "references": "[{\"url\": \"https://docs.couchdb.org/en/stable/cve/2023-45725.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.couchdb.org/en/stable/cve/2023-45725.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-45725\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-12-13T08:15:50.190\",\"lastModified\":\"2024-11-21T08:27:16.050\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.\\n\\nThese design document functions are:\\n  *  \u00a0 list\\n  *  \u00a0 show\\n  *  \u00a0 rewrite\\n  *  \u00a0 update\\n\\nAn attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an \\\"update\\\" function.\\n\\nFor the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.\\n\\nWorkaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object\u0027s headers\\n\"},{\"lang\":\"es\",\"value\":\"Las funciones de dise\u00f1o de documentos que reciben un objeto de solicitud http de usuario pueden exponer los encabezados de cookies de sesi\u00f3n o de autorizaci\u00f3n del usuario que accede al documento. Estas funciones del documento de dise\u00f1o son: * lista * mostrar * reescribir * actualizar. Un atacante puede filtrar el componente de la sesi\u00f3n utilizando una salida similar a HTML, insertar la sesi\u00f3n como un recurso externo (como una imagen) o almacenar la credencial en un documento local con una funci\u00f3n de \\\"actualizaci\u00f3n\\\". Para que el ataque tenga \u00e9xito, el atacante debe poder insertar los documentos de dise\u00f1o en la base de datos y luego manipular a un usuario para que acceda a una funci\u00f3n desde ese documento de dise\u00f1o. Workaround: evite el uso de documentos de dise\u00f1o de fuentes no confiables que puedan intentar acceder o manipular los encabezados de los objetos de solicitud.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.3.2\",\"matchCriteriaId\":\"22748077-2553-46DD-A3C6-F4C1775C275E\"}]}]}],\"references\":[{\"url\":\"https://docs.couchdb.org/en/stable/cve/2023-45725.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://docs.couchdb.org/en/stable/cve/2023-45725.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.