Lucene search
GoogleOSV:GHSA-9266-J9V3-Q4J5HistoryJun 11, 2022 - 12:00 a.m.
Couchbase Sync Gateway admin credentials not verified when using X.509 client cert authentication
2022-06-1100:00:36
Google
osv.dev
4
couchbase sync gateway
admin credentials
x.509 client-certificate
authentication
privilege escalation
unauthenticated users
workaround
bootstrap configuration
couchbase server
An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue. A workaround is to replace X.509 certificate based authentication with Username and Password authentication inside the bootstrap configuration.
Related
cvelist
cvelist
CVE-2022-32563
2022-06-10 11:57:58
cve
cve
CVE-2022-32563
2022-06-10 12:15:07
osv
osv
PYSEC-2022-207
2022-06-10 12:15:00
github
github
veracode
veracode
Privilege Escalation
2024-04-30 08:06:08
nvd
nvd
CVE-2022-32563
2022-06-10 12:15:07
prion
prion
Design/Logic Flaw
2022-06-10 12:15:00