Apache: >> Couchdb Security Vulnerabilities
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
CVSS Score
9.8
EPSS Score
0.942
Published
2017-11-14
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
CVSS Score
7.2
EPSS Score
0.935
Published
2017-11-14
Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash.
CVSS Score
6.8
EPSS Score
0.032
Published
2014-05-23
Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via the count parameter to /_uuids.
CVSS Score
5.0
EPSS Score
0.443
Published
2014-03-28
Directory traversal vulnerability in the partition2 function in mochiweb_util.erl in MochiWeb before 2.4.0, as used in Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1, allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the default URI.
CVSS Score
5.0
EPSS Score
0.044
Published
2014-03-18
Cross-site scripting (XSS) vulnerability in the Futon UI in Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to the browser-based test suite.
CVSS Score
4.3
EPSS Score
0.01
Published
2014-03-18
Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface (aka Futon) in Apache CouchDB 0.8.0 through 1.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.038
Published
2011-02-02
Untrusted search path vulnerability in a certain Debian GNU/Linux patch for the couchdb script in CouchDB 0.8.0 allows local users to gain privileges via a crafted shared library in the current working directory.
CVSS Score
6.9
EPSS Score
0.001
Published
2010-09-14
Cross-site request forgery (CSRF) vulnerability in Apache CouchDB 0.8.0 through 0.11.0 allows remote attackers to hijack the authentication of administrators for direct requests to an installation URL.
CVSS Score
6.8
EPSS Score
0.005
Published
2010-08-19
Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain sensitive information by measuring the completion time of operations that verify (1) hashes or (2) passwords.
CVSS Score
4.3
EPSS Score
0.006
Published
2010-04-05