Apache CouchDB, IBM Cloudant: Privilege Escalation Using _design Documents
CVE-2023-45725

5.7MEDIUM

Key Information:

Vendor: Apache
Status: Apache CouchDB; IBM Cloudant
Vendor: CVE Published:; 13 December 2023

Summary

Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.

These design document functions are:

list
show
rewrite
update

An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function.

For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.

Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers

Affected Version(s)

Apache CouchDB 0 <= 3.3.2

IBM Cloudant 0 < 8413

References

https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm...

vendor-advisory

https://docs.couchdb.org/en/stable/cve/2023-45725.html

release-notes

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 13, 2023
Vulnerability Reserved
Oct 10, 2023

Credit

Natan Nehorai from the JFrog Vulnerability Research Team

Or Peles from the JFrog Vulnerability Research Team

Richard Ellis from IBM/Cloudant Team

Mike Rhodes from IBM/Cloudant Team