The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_all_docs? endpoint.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/couchbase/sync_gateway | lt | 2.5.0 |
docs.couchbase.com/sync-gateway/2.5/release-notes.html
github.com/couchbase/sync_gateway/commit/97adb5b496aa96aa70398018ea96da913ffd8d8c
nvd.nist.gov/vuln/detail/CVE-2019-9039
research.hisolutions.com/2019/06/n1ql-injection-in-couchbase-sync-gateway-cve-2019-9039
www.couchbase.com/resources/security#SecurityAlerts