Lucene search

K
ubuntucveUbuntu.comUB:CVE-2017-12636
HistoryNov 14, 2017 - 12:00 a.m.

CVE-2017-12636

2017-11-1400:00:00
ubuntu.com
ubuntu.com
19

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.031

Percentile

91.1%

CouchDB administrative users can configure the database server via HTTP(S).
Some of the configuration options include paths for operating system-level
binaries that are subsequently launched by CouchDB. This allows an admin
user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute
arbitrary shell commands as the CouchDB user, including downloading and
executing scripts from the public internet.

OSVersionArchitecturePackageVersionFilename
ubuntu16.04noarchcouchdb< anyUNKNOWN

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.031

Percentile

91.1%