Apache Couchdb
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Couchdb.
Known Exploited Apache Couchdb Vulnerabilities
The following Apache Couchdb vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apache CouchDB Insecure Default Initialization of Resource Vulnerability |
Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. CVE-2022-24706 Exploit Probability: 94.4% |
August 25, 2022 |
The vulnerability CVE-2022-24706: Apache CouchDB Insecure Default Initialization of Resource Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
By the Year
In 2025 there have been 0 vulnerabilities in Apache Couchdb. Couchdb did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 2 | 5.50 |
| 2022 | 1 | 9.80 |
| 2021 | 1 | 7.30 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 7.20 |
| 2018 | 2 | 7.20 |
It may take a day or so for new Couchdb vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Couchdb Security Vulnerabilities
Design document functions
CVE-2023-45725
5.7 - Medium
- December 13, 2023
Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: * list * show * rewrite * update An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function. For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document. Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers
Design documents with matching document IDs
CVE-2023-26268
5.3 - Medium
- May 02, 2023
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.
In Apache CouchDB prior to 3.2.2, an attacker
CVE-2022-24706
9.8 - Critical
- April 26, 2022
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
Insecure Default Initialization of Resource
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document
CVE-2021-38295
7.3 - High
- October 14, 2021
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2
XSS
Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database
CVE-2018-17188
7.2 - High
- January 02, 2019
Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other vulnerabilities, it allowed full system entry for unauthenticated users. Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, the CouchDB development team decided to make changes to avoid this entire class of vulnerabilities.
CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S)
CVE-2018-11769
7.2 - High
- August 08, 2018
CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin user to gain arbitrary remote code execution, bypassing CVE-2017-12636 and CVE-2018-8007.
Apache CouchDB administrative users can configure the database server via HTTP(S)
CVE-2018-8007
7.2 - High
- July 11, 2018
Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2.
Improper Input Validation
Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface (aka Futon) in Apache CouchDB 0.8.0 through 1.0.1
CVE-2010-3854
- February 02, 2011
Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface (aka Futon) in Apache CouchDB 0.8.0 through 1.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Couchdb or by Apache? Click the Watch button to subscribe.
