Lucene search

K
ubuntucveUbuntu.comUB:CVE-2018-8007
HistoryJul 11, 2018 - 12:00 a.m.

CVE-2018-8007

2018-07-1100:00:00
ubuntu.com
ubuntu.com
11

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.031

Percentile

91.1%

Apache CouchDB administrative users can configure the database server via
HTTP(S). Due to insufficient validation of administrator-supplied
configuration settings via the HTTP API, it is possible for a CouchDB
administrator user to escalate their privileges to that of the operating
system’s user that CouchDB runs under, by bypassing the blacklist of
configuration settings that are not allowed to be modified via the HTTP
API. This privilege escalation effectively allows an existing CouchDB admin
user to gain arbitrary remote code execution, bypassing already disclosed
CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases
1.7.2 or 2.1.2.

OSVersionArchitecturePackageVersionFilename
ubuntu16.04noarchcouchdb< anyUNKNOWN

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.031

Percentile

91.1%