ID CVE-2017-12635 Type cve Reporter NVD Modified 2018-02-03T21:29:08
Description
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
{"id": "CVE-2017-12635", "bulletinFamily": "NVD", "title": "CVE-2017-12635", "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "published": "2017-11-14T15:29:00", "modified": "2018-02-03T21:29:08", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "reporter": "NVD", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html", "http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "cvelist": ["CVE-2017-12635"], "type": "cve", "lastseen": "2018-02-05T15:16:13", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 2, "enchantments": {}, "hash": "0df62293dff1a54ac462a5dec6769bd7e01fee55cc444389a167b407e8f62b01", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "2de41ca7197a9bfe8795627c04faa827", "key": "references"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d368de4b3c0b12df124db5da0e74e029", "key": "modified"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2017-11-19T11:28:37", "modified": "2017-11-18T21:29:01", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["http://www.securityfocus.com/bid/101868", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-11-19T11:28:37"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:apache:couchdb:1.0.2", "cpe:/a:apache:couchdb:1.0.4", "cpe:/a:apache:couchdb:1.1.1", "cpe:/a:apache:couchdb:1.5.0", "cpe:/a:apache:couchdb:1.0.0", "cpe:/a:apache:couchdb:1.1.0", "cpe:/a:apache:couchdb:1.2.0", "cpe:/a:apache:couchdb:2.0.0:rc3", "cpe:/a:apache:couchdb:2.0.0", "cpe:/a:apache:couchdb:1.0.1", "cpe:/a:apache:couchdb:1.2.1", "cpe:/a:apache:couchdb:1.0.3", "cpe:/a:apache:couchdb:2.0.0:rc1", "cpe:/a:apache:couchdb:2.0.0:rc4", "cpe:/a:apache:couchdb:1.1.2", "cpe:/a:apache:couchdb:2.0.0:rc2"], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 4, "enchantments": {"score": {"modified": "2017-12-05T11:42:24", "value": 6.0}}, "hash": "c6a7ad5cd66e42537612a56bcbabfc3116b39f5199cfe440b1fed1ae74c1a29c", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "632b5083db2f267df9ed4db10a83a3e1", "key": "modified"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "cde791b37b1395d080e285ac7b252e2b", "key": "references"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "c1fdfda05f1ab65c144b9fd5e52aebc6", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2017-12-05T11:42:24", "modified": "2017-12-04T13:29:52", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 4}, "differentElements": ["references", "modified"], "edition": 4, "lastseen": "2017-12-05T11:42:24"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 3, "enchantments": {}, "hash": "7d73d996f17175eeb7b7f6749cf1210d4f21a9423c5a27daeab2a9ba62d5f2c5", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "cde791b37b1395d080e285ac7b252e2b", "key": "references"}, {"hash": "c726a647061bbdce7615436514ccf00b", "key": "modified"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2017-11-25T11:37:51", "modified": "2017-11-20T21:29:08", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["http://www.securityfocus.com/bid/101868", "https://security.gentoo.org/glsa/201711-16", "https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 1}, "differentElements": ["cvss", "modified", "cpe"], "edition": 3, "lastseen": "2017-11-25T11:37:51"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2017-12635"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", "edition": 1, "enchantments": {}, "hash": "7dc0481bed65052f933ab7b602dca37a5448f2ff80eb9fca55e8a1c163e4ea3e", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "5299b2a5d7f6c42a8fbb0baa416e3196", "key": "title"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f672a965c873eb75ba2b804d51dbaff6", "key": "href"}, {"hash": "44059845d2ea55e69d7ed533f53e42c5", "key": "description"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "c1a507bac089dfbb5d2922ab28d71a65", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "0c2d66c645033e5e08134fa9a93424ec", "key": "references"}, {"hash": "e3981b7fa9fc3eff3e0302c01888728c", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635", "id": "CVE-2017-12635", "lastseen": "2017-11-15T11:56:44", "modified": "2017-11-14T15:29:00", "objectVersion": "1.3", "published": "2017-11-14T15:29:00", "references": ["https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-12635", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2017-11-15T11:56:44"}], "edition": 5, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "c1fdfda05f1ab65c144b9fd5e52aebc6"}, {"key": "cvelist", "hash": "e3981b7fa9fc3eff3e0302c01888728c"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "44059845d2ea55e69d7ed533f53e42c5"}, {"key": "href", "hash": "f672a965c873eb75ba2b804d51dbaff6"}, {"key": "modified", "hash": "4e57e5e638e40521a5d47d45b1d16113"}, {"key": "published", "hash": "c1a507bac089dfbb5d2922ab28d71a65"}, {"key": "references", "hash": "0d13051d3579ee3d2d855c7e163828a4"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "5299b2a5d7f6c42a8fbb0baa416e3196"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "5c2312309d049096e9de5c841bf437d5d4a664c60143bfdbd34974bde7e06446", "viewCount": 13, "enchantments": {"vulnersScore": 4.0}, "objectVersion": "1.3", "cpe": ["cpe:/a:apache:couchdb:1.0.2", "cpe:/a:apache:couchdb:1.0.4", "cpe:/a:apache:couchdb:1.1.1", "cpe:/a:apache:couchdb:1.5.0", "cpe:/a:apache:couchdb:1.0.0", "cpe:/a:apache:couchdb:1.1.0", "cpe:/a:apache:couchdb:1.2.0", "cpe:/a:apache:couchdb:2.0.0:rc3", "cpe:/a:apache:couchdb:2.0.0", "cpe:/a:apache:couchdb:1.0.1", "cpe:/a:apache:couchdb:1.2.1", "cpe:/a:apache:couchdb:1.0.3", "cpe:/a:apache:couchdb:2.0.0:rc1", "cpe:/a:apache:couchdb:2.0.0:rc4", "cpe:/a:apache:couchdb:1.1.2", "cpe:/a:apache:couchdb:2.0.0:rc2"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"result": {"seebug": [{"id": "SSV:96869", "type": "seebug", "title": "Remote Code Execution in CouchDB(CVE-2017-12635)", "description": "There was a vulnerability in CouchDB caused by a discrepancy between the database\u2019s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations. I\u2019m wrong, and the main npm registry is unaffected. See correction below. My bad!] [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635)\r\n\r\n### Background\r\nLast time, I wrote about a deserialization bug leading to [code execution on rubygems.org](https://justi.cz/security/2017/10/07/rubygems-org-rce.html), a repository of dependencies for ruby programs. The ability to inject malware into upstream project dependencies is a scary attack vector, and one from which I doubt most organizations are adequately protected.\r\n\r\nWith this in mind, I started searching for bugs in [registry.npmjs.org](https://registry.npmjs.org/), the server responsible for distributing npm packages. According to [their homepage](https://www.npmjs.com/), the npm registry serves more than 3 billion (!) package downloads per week.\r\n\r\n### CouchDB\r\nThe npm registry uses CouchDB, which I hadn\u2019t heard of before this project. The basic idea is that it\u2019s a \u201cNoSQL\u201d database that makes data replication very easy. It\u2019s sort of like a big key-value store for JSON blobs (\u201cdocuments\u201d), with features for data validation, querying, and user authentication, making it closer to a full-fledged database. CouchDB is written in Erlang, but allows users to specify document validation scripts in Javascript. These scripts are automatically evaluated when a document is created or updated. They start in a new process, and are passed JSON-serialized documents from the Erlang side.\r\n\r\nCouchDB manages user accounts through a special database called `_users`. When you create or modify a user in a CouchDB database (usually by doing a `PUT` to `/_users/org.couchdb.user:your_username`), the server checks your proposed change with a Javascript `validate_doc_update` function to ensure that you\u2019re not, for example, attempting to make yourself an administrator.\r\n\r\n### Vulnerability\r\nThe problem is that there is a discrepancy between the Javascript JSON parser (used in validation scripts) and the one used internally by CouchDB, called [jiffy](https://github.com/apache/couchdb-jiffy). Check out how each one deals with duplicate keys on an object like `{\"foo\":\"bar\", \"foo\":\"baz\"}`:\r\n\r\nErlang:\r\n```\r\n> jiffy:decode(\"{\\\"foo\\\":\\\"bar\\\", \\\"foo\\\":\\\"baz\\\"}\"). \r\n{[{<<\"foo\">>,<<\"bar\">>},{<<\"foo\">>,<<\"baz\">>}]}\r\n```\r\n\r\nJavascript:\r\n```\r\n> JSON.parse(\"{\\\"foo\\\":\\\"bar\\\", \\\"foo\\\": \\\"baz\\\"}\")\r\n{foo: \"baz\"}\r\n```\r\n\r\nFor a given key, the Erlang parser will store both values, but the Javascript parser will only store the last one. Unfortunately, the getter function for CouchDB\u2019s internal representation of the data will only return the first value:\r\n```\r\n% Within couch_util:get_value \r\nlists:keysearch(Key, 1, List).\r\n```\r\n\r\nAnd so, we can bypass all of the relevant input validation and create an admin user thusly:\r\n```\r\ncurl -X PUT 'http://localhost:5984/_users/org.couchdb.user:oops'\r\n--data-binary '{\r\n \"type\": \"user\",\r\n \"name\": \"oops\",\r\n \"roles\": [\"_admin\"],\r\n \"roles\": [],\r\n \"password\": \"password\"\r\n}'\r\n```\r\n\r\nIn Erlang land, we\u2019ll see ourselves as having the `_admin` role, while in Javascript land we appear to have no special permissions. Fortunately for the attacker, almost all of the important logic concerning authentication and authorization, aside from the input validation script, occurs the Erlang part of CouchDB.\r\n\r\nNow that we have an administrator account, we have complete control of the database. Getting a shell from here is usually easy since CouchDB lets you define custom `query_server` languages through the admin interface, a feature which is basically just a wrapper around `execv`. One funny feature of this exploit is that it\u2019s slightly tricky to detect through the web GUI; if you try to examine the user we just created through the admin console, the `roles` field will show up empty since it\u2019s parsed in Javascript before being displayed!\r\n\r\n### Impact on npm\r\nI\u2019ve been trying to figure out exactly how npm was affected by this bug. Since I didn\u2019t actually exploit the vulnerability against any of npm\u2019s production servers, I have to make educated guesses about which parts of the infrastructure were vulnerable to which parts of the attack, based on publicly available information.It turns out that registry.npmjs.org simply exposes an identical API to the CouchDB user creation flow in order to maintain backwards compatibility with old clients. It has been using a custom authentication system since early 2015, and is therefore not vulnerable to my attack. The skim database mentioned below was affected by the bug, however. I apologize for being completely wrong in the initial version of this blog post!\r\n\r\nNpm also exposes a \u201c[skim database](https://skimdb.npmjs.com/)\u201d which does look like it would have been vulnerable to the RCE part of the attack, but it\u2019s unclear to me how that database is used in the infrastructure today. There\u2019s a [blog post from 2014](http://blog.npmjs.org/post/75707294465/new-npm-registry-architecture) which indicates that all writes go to the skimdb, but I don\u2019t know if this is still true.\r\n\r\n### Conclusion\r\nIt\u2019s probably a bad idea to use more than one parser to process the same data. If you have to, perhaps because your project uses multiple languages like in CouchDB, do your best to ensure that there aren\u2019t any functional differences between the parsers like there were here. It\u2019s unfortunate that the JSON standard [does not specify the behavior of duplicate keys](https://stackoverflow.com/questions/21832701/does-json-syntax-allow-duplicate-keys-in-an-object/21833017#21833017).\r\n\r\nThanks to the CouchDB team for having a published security@ email address and working quickly to get this fixed.\r\n\r\n### Shameless plug\r\nIf you\u2019re interested in ditching #birdsite and want to use a social network that actually respects your freedoms, you should consider [joining Mastodon!](https://joinmastodon.org/) It\u2019s a federated social network, meaning that it works in a distributed way sort of like email. Join us over in the fediverse and help us build a friendly security community!", "published": "2017-11-16T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.seebug.org/vuldb/ssvid-96869", "cvelist": ["CVE-2017-12635"], "lastseen": "2017-11-19T11:56:26"}], "canvas": [{"id": "COUCHDB_ROLES", "type": "canvas", "title": "Immunity Canvas: COUCHDB_ROLES", "description": "**Name**| couchdb_roles \n---|--- \n**CVE**| CVE-2017-12635 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Apache CouchDB Authentication Bypass RCE \n**Notes**| CVE Name: CVE-2017-12635 \nVENDOR: http://couchdb.apache.org/ \nNotes: \n12/8/2017 \nWindows 10 / CouchDB 2.0.0 - Exploit created \nUbuntu 14.04 / CouchDB 1.5.0 - Exploit created \n \nIMPORTANT NOTE: \nIf the exploit does not get you a shell, look in the Canvas log to see \nif the exploit successfully created an administrative user. With that \nuser, you can log in to the admin panel of your target and programs \nto start under the os_daemons key, as well as view other data. \n \nIMPORTANT NOTE: \nA _users database must be created by a previous admin for this exploit \nto work. \n \n \nRepeatability: Infinite \nReferences: ['https://justi.cz/security/2017/11/14/couchdb-rce-npm.html', 'http://www.securityfocus.com/bid/101868'] \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12635 \n\n", "published": "2017-11-14T15:29:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/couchdb_roles", "cvelist": ["CVE-2017-12635"], "lastseen": "2018-02-28T23:28:19"}], "openvas": [{"id": "OPENVAS:1361412562310107259", "type": "openvas", "title": "CouchDB Multiple Vulnerabilities (Windows)", "description": "This host is installed with Apache CouchDB and is prone to multiple vulnerabilities.", "published": "2017-11-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107259", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2018-04-19T17:57:57"}, {"id": "OPENVAS:1361412562310873892", "type": "openvas", "title": "Fedora Update for couchdb FEDORA-2017-d0a336a2a3", "description": "Check the version of couchdb", "published": "2017-12-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873892", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2017-12-14T12:00:54"}, {"id": "OPENVAS:1361412562310873882", "type": "openvas", "title": "Fedora Update for couchdb FEDORA-2017-a20d92573b", "description": "Check the version of couchdb", "published": "2017-12-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873882", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2017-12-14T12:00:53"}, {"id": "OPENVAS:1361412562310107258", "type": "openvas", "title": "CouchDB Multiple Vulnerabilities (Linux)", "description": "This host is installed with Apache CouchDB and is prone to multiple vulnerabilities.", "published": "2017-11-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107258", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2018-04-19T17:57:00"}, {"id": "OPENVAS:1361412562310873893", "type": "openvas", "title": "Fedora Update for erlang-jiffy FEDORA-2017-a20d92573b", "description": "Check the version of erlang-jiffy", "published": "2017-12-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873893", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2017-12-14T12:00:55"}, {"id": "OPENVAS:1361412562310891252", "type": "openvas", "title": "Debian LTS Advisory ([SECURITY] [DLA 1252-1] couchdb security update)", "description": "CVE-2017-12635\nPrevent non-admin users to give themselves admin privileges.\n\nCVE-2017-12636\nBlacklist some configuration options to prevent execution of\narbitrary shell commands as the CouchDB user", "published": "2018-01-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891252", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2018-03-29T18:47:46"}, {"id": "OPENVAS:1361412562310873886", "type": "openvas", "title": "Fedora Update for erlang-jiffy FEDORA-2017-d0a336a2a3", "description": "Check the version of erlang-jiffy", "published": "2017-12-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873886", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2017-12-14T12:00:55"}], "gentoo": [{"id": "GLSA-201711-16", "type": "gentoo", "title": "CouchDB: Multiple vulnerabilities", "description": "### Background\n\nApache CouchDB is a distributed, fault-tolerant and schema-free document-oriented database. \n\n### Description\n\nMultiple vulnerabilities have been discovered in CouchDB. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could execute arbitrary shell commands or escalate privileges. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll CouchDB users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/couchdb-1.7.1\"", "published": "2017-11-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://security.gentoo.org/glsa/201711-16", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2017-11-20T00:35:59"}], "nessus": [{"id": "GENTOO_GLSA-201711-16.NASL", "type": "nessus", "title": "GLSA-201711-16 : CouchDB: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-201711-16 (CouchDB: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in CouchDB. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could execute arbitrary shell commands or escalate privileges.\n Workaround :\n\n There is no known workaround at this time.", "published": "2017-11-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=104697", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2018-03-03T18:21:26"}, {"id": "FEDORA_2017-A20D92573B.NASL", "type": "nessus", "title": "Fedora 27 : couchdb / erlang-jiffy (2017-a20d92573b)", "description": "- CouchDB ver. 1.7.1\n\n - Fixed CVE-2017-12635\n\n - Fixed CVE-2017-12636\n\n - Switched to eunit for testing\n\n - Erlang 20 compatible\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2018-01-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=105943", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2018-03-03T18:12:55"}, {"id": "DEBIAN_DLA-1252.NASL", "type": "nessus", "title": "Debian DLA-1252-1 : couchdb security update", "description": "CVE-2017-12635 Prevent non-admin users to give themselves admin privileges.\n\nCVE-2017-12636 Blacklist some configuration options to prevent execution of arbitrary shell commands as the CouchDB user\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 1.2.0-5+deb7u1.\n\nWe recommend that you upgrade your couchdb packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2018-01-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=106208", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2018-03-03T17:54:06"}], "zdt": [{"id": "1337DAY-ID-29083", "type": "zdt", "title": "Apache CouchDB Remote Code Execution Vulnerability", "description": "Exploit for multiple platform in category remote exploits", "published": "2017-11-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://0day.today/exploit/description/29083", "cvelist": ["CVE-2017-12635", "CVE-2017-12636"], "lastseen": "2018-03-02T03:40:37"}]}}
