Couchdb@* Security Vulnerabilities and Issues — Couchdb@* CVE List

ApacheCouchdb*

7 matches found

CVE•added 2022/04/26 12:0 a.m.•866 views

CVE-2022-24706

CVE-2022-24706 affects Apache CouchDB before 3.2.2, where an attacker can access an improperly secured default installation without authentication and gain admin privileges due to an access-control flaw. Affected versions include 3.2.1 and earlier; remediation is to upgrade to CouchDB 3.2.2 (or a...

10CVSS9.5AI score0.92335EPSS

In wild

CVE•added 2017/11/14 8:0 p.m.•211 views

CVE-2017-12635

CVE-2017-12635 affects Apache CouchDB versions before 1.7.0 and 2.x before 2.1.1, where differences between the Erlang JSON parser and the JavaScript JSON parser allow a user document to contain duplicate roles keys. The second roles key governs authorization for writing the user, while the first...

10CVSS8.2AI score0.99924EPSS

In wild

CVE•added 2017/11/14 8:0 p.m.•147 views

CVE-2017-12636

CVE-2017-12636 affects Apache CouchDB prior to 1.7.0 and 2.x prior to 2.1.1, where an admin-configured HTTP(S) interface can point to OS binaries, enabling arbitrary shell commands to be executed as the CouchDB user. Multiple connected documents corroborate this RCE via configuration, with exploi...

9CVSS8.5AI score0.90602EPSS

CVE•added 2021/10/14 7:55 p.m.•86 views

CVE-2021-38295

CVE-2021-38295 affects Apache CouchDB before 3.1.2. A malicious user who can create documents can attach an HTML file; when an admin opens the attachment in a browser (e.g., Fauxton) the embedded JavaScript runs in the admin’s security context, enabling privilege escalation. Affected routes inclu...

7.3CVSS7.1AI score0.02474EPSS

CVE•added 2018/08/08 3:0 p.m.•79 views

CVE-2018-11769

CVE-2018-11769 affects CouchDB admin users prior to 2.2.0, allowing an administrator to bypass HTTP API configuration restrictions and escalate to the operating system user running CouchDB, effectively enabling arbitrary remote code execution. The issue arises from insufficient validation of admi...

9CVSS7.6AI score0.08153EPSS

CVE•added 2023/05/02 8:6 p.m.•75 views

CVE-2023-26268

CVE-2023-26268 affects Apache CouchDB. Connected sources confirm that design documents with matching IDs in databases on the same cluster may share a mutable Javascript environment when using design_doc functions (validate_doc_update, list, filter, filter views, rewrite, update). The vulnerabilit...

5.3CVSS4.7AI score0.01429EPSS

CVE•added 2019/01/02 2:0 p.m.•66 views

CVE-2018-17188

Apache CouchDB CVE-2018-17188 affects prior to v2.3.0, where runtime-configuration of key components could let CouchDB admin users access the underlying OS as the CouchDB user. This vulnerability, together with others, could enable full system entry for unauthenticated users. Evidence in connecte...

7.2CVSS7.1AI score0.03228EPSS