Vulnerability Details CVE-2022-24706
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.944
EPSS Ranking 100.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 10.0
Proposed Action
Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2022/04/26/1
- http://www.openwall.com/lists/oss-security/2022/05/09/1
- http://www.openwall.com/lists/oss-security/2022/05/09/2
- http://www.openwall.com/lists/oss-security/2022/05/09/3
- http://www.openwall.com/lists/oss-security/2022/05/09/4
- https://docs.couchdb.org/en/3.2.2/setup/cluster.html
- https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
- https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd
- http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2022/04/26/1
- http://www.openwall.com/lists/oss-security/2022/05/09/1
- http://www.openwall.com/lists/oss-security/2022/05/09/2
- http://www.openwall.com/lists/oss-security/2022/05/09/3
- http://www.openwall.com/lists/oss-security/2022/05/09/4
- https://docs.couchdb.org/en/3.2.2/setup/cluster.html
- https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
- https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd
Products affected by CVE-2022-24706
-
cpe:2.3:a:apache:couchdb:-
-
cpe:2.3:a:apache:couchdb:0.10.0
-
cpe:2.3:a:apache:couchdb:0.10.1
-
cpe:2.3:a:apache:couchdb:0.10.2
-
cpe:2.3:a:apache:couchdb:0.11.0
-
cpe:2.3:a:apache:couchdb:0.11.1
-
cpe:2.3:a:apache:couchdb:0.11.2
-
cpe:2.3:a:apache:couchdb:0.8.0
-
cpe:2.3:a:apache:couchdb:0.8.1
-
cpe:2.3:a:apache:couchdb:0.9.0
-
cpe:2.3:a:apache:couchdb:0.9.1
-
cpe:2.3:a:apache:couchdb:0.9.2
-
cpe:2.3:a:apache:couchdb:1.0.0
-
cpe:2.3:a:apache:couchdb:1.0.1
-
cpe:2.3:a:apache:couchdb:1.0.2
-
cpe:2.3:a:apache:couchdb:1.0.3
-
cpe:2.3:a:apache:couchdb:1.0.4
-
cpe:2.3:a:apache:couchdb:1.1.0
-
cpe:2.3:a:apache:couchdb:1.1.1
-
cpe:2.3:a:apache:couchdb:1.1.2
-
cpe:2.3:a:apache:couchdb:1.2.0
-
cpe:2.3:a:apache:couchdb:1.2.1
-
cpe:2.3:a:apache:couchdb:1.2.2
-
cpe:2.3:a:apache:couchdb:1.3.0
-
cpe:2.3:a:apache:couchdb:1.3.1
-
cpe:2.3:a:apache:couchdb:1.4.0
-
cpe:2.3:a:apache:couchdb:1.5.0
-
cpe:2.3:a:apache:couchdb:1.5.1
-
cpe:2.3:a:apache:couchdb:1.6.0
-
cpe:2.3:a:apache:couchdb:1.6.1
-
cpe:2.3:a:apache:couchdb:1.7.0
-
cpe:2.3:a:apache:couchdb:1.7.1
-
cpe:2.3:a:apache:couchdb:1.7.2
-
cpe:2.3:a:apache:couchdb:2.0.0
-
cpe:2.3:a:apache:couchdb:2.1.0
-
cpe:2.3:a:apache:couchdb:2.1.1
-
cpe:2.3:a:apache:couchdb:2.1.2
-
cpe:2.3:a:apache:couchdb:2.1.2.
-
cpe:2.3:a:apache:couchdb:2.2.0
-
cpe:2.3:a:apache:couchdb:2.3.0
-
cpe:2.3:a:apache:couchdb:2.3.1
-
cpe:2.3:a:apache:couchdb:3.0.0
-
cpe:2.3:a:apache:couchdb:3.1.2
-
cpe:2.3:a:apache:couchdb:3.2.0
-
cpe:2.3:a:apache:couchdb:3.2.1