63 matches found
CVE-2023-50436
CVE-2023-50436 affects Couchbase Server prior to 7.2.4. The issue leaks admin credentials (ns_server) encoded in diag.log, with earliest affected version 7.1.5. Connected sources confirm the vulnerability is limited to 7.1.5–7.2.3 and that upgrading to 7.2.4 or later resolves the vulnerability. T...
CVE-2023-2033
CVE-2023-2033: A type confusion in Google's V8 engine used by Chromium-based browsers allowed remote heap corruption via crafted HTML. The vulnerability affected Google Chrome/Chromium up to version 112.0.5615.121 and was fixed in the 112.0.5615.121 release (M112 Stable Update). Chrome’s advisory...
CVE-2023-3079
Summary (CVE-2023-3079) : A type confusion in V8 in Google Chrome prior to 114.0.5735.110 can allow remote code execution via a crafted HTML page, with heap corruption as the underlying issue. The vulnerability affects Chrome’s Chromium-based rendering stack (V8 engine) and is rated High severity...
CVE-2023-50782
CVE-2023-50782 affects the python-cryptography library across multiple Linux distributions. The underlying issue is a Bleichenbacher timing/PKCS#1 v1.5 RSA decryption handling flaw that could allow a remote attacker to decrypt TLS RSA-exchange messages, potentially exposing confidential data. Aff...
CVE-2024-0519
CVE-2024-0519 is a Google Chrome/V8 vulnerability: an out-of-bounds memory access in V8 allows potential heap corruption via a crafted HTML page. Affected products include Chrome before version 120.0.6099.224; the Chromium/Chrome Stable Channel update to 120.0.6099.224 (Linux and Mac) and 120.0.6...
CVE-2020-9039
CVE-2020-9039 affects Couchbase Server versions 4.0.0, 4.1.0/4.1.1, 4.5.0/4.5.1, 4.6.0–4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1. The issue is insecure permissions on the projector and indexer REST endpoints, allowing unauthenticated access to administrative APIs via the /settings endpoint. The vulner...
CVE-2019-11496
CVE-2019-11496 affects Couchbase Server. Prior to 5.0, the special default bucket allowed read/write access without authentication; in 5.0, behavior was tightened for all buckets, but a flaw allowed unauthenticated/unauthorized access to the default bucket when its properties were edited. The iss...
CVE-2023-49931
Couchbase Server prior to 7.2.4 is affected by an issue where SQL++ cURL calls to the /diag/eval API endpoint are not sufficiently restricted. The CVE entry indicates potential high-impact exposure affecting confidentiality, integrity, and availability. The common remediation across sources is up...
CVE-2019-11466
In Couchbase Server 6.0.0/5.5.0, the Eventing service exposed an unauthenticated HTTP endpoint for the system diagnostic profile on an internal-traffic port; this was remedied in 6.0.1 and now requires valid credentials.
CVE-2023-45874
CVE-2023-45874 affects Couchbase Server up to version 7.2.2. The issue is caused by a data reader that may cause a denial of service, leading to an outage of reader threads. The CVSS base score is 4.3 (Medium) with network attack vector and low privileges required. No exploitation details are pro...
CVE-2023-49932
CVE-2023-49932 affects Couchbase Server versions prior to 7.2.4. The vulnerability allows bypassing SQL++ N1QL cURL host restrictions. The available docs do not provide exploitation details; remediation is upgrading to 7.2.4+ or applying vendor guidance per release notes. CVSS 3.1 base score 5.4 ...
CVE-2023-49930
CVE-2023-49930 affects Couchbase Server versions before 7.2.4. The issue is that cURL calls to the "/diag/eval" API endpoint are not sufficiently restricted, enabling access that could impact confidentiality, integrity, and availability. The vulnerability is described with a high severity (CVSS v...
CVE-2019-11497
CVE-2019-11497 affects Couchbase Server 5.0.0, where during reference creation XDCR accepted an invalid Remote Cluster Certificate due to not validating the certificate signature. The issue allowed the system to proceed with establishing connections to a remote cluster using the invalid cert. The...
CVE-2023-43769
CVE-2023-43769 affects Couchbase Server up to 7.1.4 (before 7.1.5) and before 7.2.1. The issue is that unauthenticated RMI service ports are exposed in Analytics, enabling potential unauthorized access. The available sources consistently identify Analytics as the exposed interface and indicate th...
CVE-2024-23302
CVE-2024-23302 affects Couchbase Server prior to version 7.2.4, where a private key leak occurs in the goxdcr.log. The available sources confirm the issue and the affected product/version, but do not provide exploit details or specific remediation steps beyond the exposure described. No root-caus...
CVE-2022-32562
CVE-2022-32562_affects_Couchbase_Server_before_7.0.4. The issue allows operations to succeed on a collection using stale RBAC permissions, potentially enabling unauthorized access or actions despite RBAC settings. Public sources (NVD, Red Hat, CVE records) consistently describe the vulnerability ...
CVE-2023-45873
CVE-2023-45873 affects Couchbase Server versions through 7.2.2. The issue is triggered when a data reader reads large volumes of documents, potentially triggering the OS out-of-memory killer and causing the application to terminate (denial of service). The Red Hat and NVD records reiterate the sa...
CVE-2019-11495
CVE-2019-11495 affects Couchbase Server 5.1.1 where the intra-node cookie was not generated securely because erlang:now() seeds the PRNG, creating a small space of random seeds that could allow brute-forcing the cookie and executing code on a remote system. Reports across sources confirm this vul...
CVE-2023-50437
CVE-2023-50437 affects Couchbase Server prior to 7.2.4. The issue involves otpCookie being shown with full admin on endpoints /pools/default/serverGroups and engageCluster2, indicating overly permissive admin exposure. Root cause is not explicitly detailed beyond the admin-level OTP cookie handli...
CVE-2019-11467
CVE-2019-11467 affects Couchbase Server 4.6.3 and 5.5.0 where the secondary indexing path encodes entries with collatejson. When index entries contained characters such as tab, , the encoded string could exceed expectations and trigger a buffer overrun, causing the indexer service to crash and re...
CVE-2023-49338
CVE-2023-49338 affects Couchbase Server versions 7.1.x through 7.2.3 (before 7.2.4). The vulnerability arises from endpoints /admin/stats and /admin/vitals on localhost TCP port 8093 not requiring authentication, enabling potential unauthorized access to sensitive operational data. The cited CVSS...
CVE-2022-32557
CVE-2022-32557 affects Couchbase Server versions prior to 7.0.4, where the Index Service does not enforce authentication for TCP/TLS servers. This creates potential unauthorized access from the network (attack vector: network, low attack complexity). The CVSS details indicate a high impact on int...
CVE-2022-32560
CVE-2022-32560 affects Couchbase Server versions before 7.0.4. The root cause is XDCR lacking role checking when changing internal settings, potentially allowing unauthorized modification within XDCR configuration. Documented impact indicates potential integrity concerns (I: HIGH) with no confide...
CVE-2022-32564
CVE-2022-32564 affects Couchbase Server prior to 7.0.4. The issue resides in couchbase-cli’s server-eshell, which leaks the Cluster Manager cookie, enabling information disclosure via command-line cookie exposure. Multiple connected sources (NVD/CNNVD/Red Hat/CVEs) describe the vulnerability as a...
CVE-2018-15728
CVE-2018-15728 affects Couchbase Server where the REST/diag/eval endpoint (on TCP 8091 and/or 18091) could be accessed by authenticated Full Admin users to submit arbitrary Erlang code, which would execute on the underlying OS with the attacker's privileges. Affected versions include 4.0.0, 4.1.2...
CVE-2022-32558
CVE-2022-32558 affects Couchbase Server prior to 7.0.4. The issue arises during sample bucket loading, where a failure may disclose internal user passwords. The connected sources reiterate this information disclosure vector and the impact (confidentiality of passwords) but do not provide explicit...
CVE-2022-32565
CVE-2022-32565 affects Couchbase Server prior to 7.0.4. The Backup Service log discloses unredacted usernames and document IDs, constituting a log information disclosure vulnerability. Connected sources confirm the issue in Couchbase Server versions before 7.0.4 with the root cause described as a...
CVE-2019-11465
CVE-2019-11465 affects Couchbase Server 5.5.x (up to 5.5.3) and 6.0.0. The Memcached "connections" stat block exposes a non-redacted username and system info from bug reports, potentially leaking user names. The issue is fixed in 5.5.4 and 6.0.1 by properly tagging usernames in logs and hashing t...
CVE-2021-31158
The CVE affects Couchbase Server 6.5.x and 6.6.x up to 6.6.1, where the Query Engine’s Common Table Expressions did not correctly enforce per-user permissions, allowing read access to resources beyond what a user is explicitly allowed. This impacts confidentiality (High) without integrity/availab...
CVE-2022-32556
CVE-2022-32556 affects Couchbase Server before 7.0.4. During certain crashes, a private key is leaked to log files, exposing sensitive material and potentially impacting confidentiality. CVSSv3.1 base score is 7.5 (HIGH). The provided materials identify affected product/version and the root cause...
CVE-2022-32193
CVE-2022-32193 affects Couchbase Server 6.6.x through 7.x, prior to version 7.0.4, where an information‑disclosure vulnerability exposes sensitive data to an unauthorized actor. The issue is rooted in the server stack described in public CVE summaries; confirmed references indicate an unauthorize...
CVE-2022-32192
CVE-2022-32192 affects Couchbase Server 5.x through 7.x before 7.0.4 and results in exposure of sensitive information to an unauthorized actor. The connected documents consistently describe an information-disclosure vulnerability in Couchbase Server, but do not provide a concrete, publicly disclo...
CVE-2022-32559
CVE-2022-32559 affects Couchbase Server prior to 7.0.4. The issue arises from handling random HTTP requests that can lead to leaked metrics, exposing potential information about the system. According to multiple connected sources, the vulnerability impacts Couchbase Server versions before 7.0.4, ...
CVE-2020-24719
CVE-2020-24719 affects Erlang-based deployments where the Erlang cookie (shared secret) is exposed in logs, enabling an attacker to attach to a running Erlang node and execute OS commands. Root cause: the magic cookie is leaked through log content, allowing unauthorized remote access. Impact is h...
CVE-2021-33504
CVE-2021-33504 affects Couchbase Server prior to 7.1.0, due to Incorrect Access Control/illegal authorization vulnerability. The connected Red Hat, CNVD, CNNVD, and PT-Security entries corroborate that versions before 7.1.0 are impacted and describe the issue as improper access control allowing m...
CVE-2021-27924
CVE-2021-27924 affects Couchbase Server 6.x up to 6.6.1, where the UI insecurely logs session cookies in logs. This enables user impersonation if log files are obtained before the session cookie expires. Root cause: session cookies are logged unintentionally by the Couchbase Server UI. Impact: po...
CVE-2022-34826
CVE-2022-34826 affects Couchbase Server 7.1.x prior to 7.1.1, where an encrypted Private Key passphrase may be leaked via logs. The issue can expose confidential data; CVSSv3.1 base score 5.9 (MEDIUM) with NETWORK attack vector, high confidentiality impact, no privileges or user interaction requi...
CVE-2019-11464
CVE-2019-11464 affects Couchbase Server Views REST API (port 8092), where security headers were not included in versions 5.5.0 and 5.1.2. The issue is that headers such as X-Frame-Options, X-Content-Type-Options, X-Permitted-Cross-Domain-Policies, and X-XSS-Protection were missing in responses. T...
CVE-2021-25643
CVE-2021-25643 affects Couchbase Server 5.x and 6.x prior to 6.5.2 and 6.6.x prior to 6.6.2. The issue enables internal administrator users (@cbq-engine-cbauth and @index-cbauth) to leak credentials in cleartext via the indexer.log when issuing /listCreateTokens, /listRebalanceTokens, or /listMet...
CVE-2024-37034
CVE-2024-37034 affects Couchbase Server versions prior to 7.2.5 and 7.6.0 prior to 7.6.1. The issue is that credentials are not negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure, leading to potential information disclosure (Confid...
CVE-2022-32561
CVE-2022-32561 maps to an issue in Couchbase Server previously tracked under CVE-2018-15728, where the /diag/eval diagnostic endpoint could be accessed by authenticated Full Admins and allowed execution of arbitrary Erlang code on the server. Affected versions for the root cause include Couchbase...
CVE-2024-25673
CVE-2024-25673 affects Couchbase Server and enables HTTP Host header injection in affected branches: Couchbase Server 7.6.x prior to 7.6.2 and 7.2.x prior to 7.2.6 (and earlier versions). The vulnerability is due to improper handling of the Host header in HTTP requests. Observed impact per source...
CVE-2023-28470
CVE-2023-28470 affects Couchbase Server 5.x–7.x prior to 7.1.4. The nsstats endpoint can be accessed without authentication, representing an authentication bypass in the statistics endpoint. Supported details from multiple sources confirm affected versions and the fix: upgrade to 7.1.4 or later t...
CVE-2024-56178
CVE-2024-56178 affects Couchbase Server 7.6.x up to 7.6.3. The issue arises from incorrect permission storage, allowing a user with the security_admin_local role to create a new user in a group that has the admin role. The consequence is privilege escalation within the Couchbase security model. N...
CVE-2022-33911
CVE-2022-33911 affects Couchbase Server 7.x (prior to 7.0.4). The issue lies in the Analytics Service: field names are not redacted in logged validation messages, enabling an unauthorized actor to potentially obtain sensitive information. The connected documents confirm the vulnerability details ...
CVE-2023-25016
CVE-2023-25016 affects Couchbase Server: versions prior to 6.6.6, 7.x prior to 7.0.5, and 7.1.x prior to 7.1.2. The issue exposes sensitive information to an unauthorized actor . The Red Hat advisory RH:CVE-2023-25016 corroborates the description. No root-cause or exploitation details are provide...
CVE-2025-46619
CVE-2025-46619 affects Couchbase Server: versions prior to 7.6.4 are vulnerable; Windows specifically affected up to 7.2.7. The issue could allow unauthorized access to sensitive files (e.g., /etc/passwd, /etc/shadow) depending on privilege level. Fixed in v7.6.4 for general use and in v7.2.7 for...
CVE-2021-27925
Affects Couchbase Server 6.5.x and 6.6.x up to 6.6.1. The vulnerability arises in the View Engine when Auditing is enabled; a race-condition can cause an internal administrator user (@ns_server) to have credentials leaked in cleartext in the ns_server.info.log. The connected Red Hat and NVD entri...
CVE-2021-25644
CVE-2021-25644 affects Couchbase Server 5.x and 6.x up to 6.6.1 and 7.0.0 Beta. The issue arises from incorrect commands to the REST API, causing authentication information to be leaked in plaintext in debug.log and info.log files and also shown in the UI accessible to administrators. The provide...
CVE-2021-35943
CVE-2021-35943 affects Couchbase Server 6.5.x and 6.6.x through 6.6.2. Root cause: Incorrect Access Control that allows externally managed users to authenticate with an empty password (RFC4513). Impact per the CVE indicates potential unauthorized access with high confidentiality/integrity/availab...