Arbitrary Code Injection

2016-10-17T16:20:12
ID NODEJS:143
Type nodejs
Reporter micaksica
Modified 2018-05-08T14:27:01

Description

Overview

Affected versions of pouchdb do not properly sandbox the code execution engine which executes the map/reduce functions for temporary views and design documents. Under certain circumstances, an attacker could uses this to run arbitrary code on the server.

Recommendation

Update to version 6.0.5 or later.