Privilege escalation vulnerability when using HTML attachments
CVE-2021-38295

7.3HIGH

Key Information:

Vendor: Apache
Status: Apache Couchdb; IBM Cloudant
Vendor: CVE Published:; 14 October 2021

Badges

👾 Exploit Exists🟡 Public PoC

Summary

In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2

Affected Version(s)

Apache CouchDB Apache CouchDB < 3.1.2

IBM Cloudant IBM Cloudant < 8201

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-38295-PoC
Created by ProfessionallyEvil

References

https://docs.couchdb.org/en/stable/cve/2021-38295.html

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Oct 14, 2021
👾
Exploit known to exist
Oct 14, 2021
Vulnerability published
Oct 14, 2021
Vulnerability Reserved
Aug 9, 2021

Credit

This issue was identified by Cory Sabol of Secure Ideas.