CVE-2023-45725 Apache CouchDB, IBM Cloudant: Privilege Escalation Using _design Documents

2023-12-1308:02:17

CWE-200

apache

www.cve.org

cve-2023-45725

privilege escalation

apache couchdb

ibm cloudant

design documents

authorization

session cookie

attack

workaround

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.9%

JSON

Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.

These design document functions are:

list
show
rewrite
update

An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an “update” function.

For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.

Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object’s headers

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Apache CouchDB",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.3.2",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "IBM Cloudant",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "8413",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]