Lucene search

K

[email protected]NVD:CVE-2018-8007

HistoryJul 11, 2018 - 1:29 p.m.

CVE-2018-8007

2018-07-1113:29:00

CWE-20

[email protected]

web.nvd.nist.gov

1

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.031 Low

EPSS

Percentile

91.2%

Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system’s user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2.

Affected configurations

NVD

Node

apachecouchdbRange≤1.7.1

OR

apachecouchdbRange2.0.0–2.1.1

References

mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3c1439409216.6221.1531246856676.JavaMail.Joan%40RITA%3e

mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3C1699016538.6219.1531246785603.JavaMail.Joan%40RITA%3E

www.securityfocus.com/bid/104741

blog.couchdb.org/2018/07/10/cve-2018-8007/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/

security.gentoo.org/glsa/201812-06

support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us

www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.031 Low

EPSS

Percentile

91.2%

Related for NVD:CVE-2018-8007

osv5 cvelist4 ubuntucve4 cve4 prion4 freebsd1 redhatcve1 nessus6 nvd3 zdt3 openvas11 checkpoint_advisories1 gentoo2 packetstorm4 fedora6 debian1 archlinux1 metasploit1 exploitpack1 nuclei1 exploitdb2