CouchDB Privilege Escalation Vulnerability in Apache CouchDB
CVE-2018-11769

7.2HIGH

Key Information:

Vendor
Apache
Status
Apache Couchdb
Vendor
CVE Published:
8 August 2018

Summary

CouchDB administrative users prior to version 2.2.0 can modify server configurations through the HTTP(S) API without sufficient validation. This flaw allows an authenticated CouchDB admin to bypass restrictions on specific settings, potentially escalating their privileges to that of the underlying operating system user. This exploit can lead to arbitrary code execution, thus exposing the server to significant risks and potential malicious actions.

Affected Version(s)

Apache CouchDB Apache Tomcat 1.x and =2.1.2

References

http://www.securityfocus.com/bid/105046
vdb-entryx_refsource_BID
https://security.gentoo.org/glsa/201812-06
vendor-advisoryx_refsource_GENTOO
https://lists.apache.org/thread.html/1052ad7a1b32b9756df4...
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.