Apache Couchdb
Known Exploited Apache Couchdb Vulnerabilities
The following Apache Couchdb vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
Apache CouchDB Insecure Default Initialization of Resource Vulnerability | Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. CVE-2022-24706 | August 25, 2022 |
By the Year
In 2023 there have been 0 vulnerabilities in Apache Couchdb . Last year Couchdb had 1 security vulnerability published. Right now, Couchdb is on track to have less security vulnerabilities in 2023 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 0 | 0.00 |
2022 | 1 | 9.80 |
2021 | 1 | 7.30 |
2020 | 0 | 0.00 |
2019 | 1 | 7.20 |
2018 | 2 | 7.20 |
It may take a day or so for new Couchdb vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Couchdb Security Vulnerabilities
In Apache CouchDB prior to 3.2.2, an attacker
CVE-2022-24706
9.8 - Critical
- April 26, 2022
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
Insecure Default Initialization of Resource
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document
CVE-2021-38295
7.3 - High
- October 14, 2021
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2
Improper Privilege Management
Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database
CVE-2018-17188
7.2 - High
- January 02, 2019
Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other vulnerabilities, it allowed full system entry for unauthenticated users. Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, the CouchDB development team decided to make changes to avoid this entire class of vulnerabilities.
CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S)
CVE-2018-11769
7.2 - High
- August 08, 2018
CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin user to gain arbitrary remote code execution, bypassing CVE-2017-12636 and CVE-2018-8007.
Apache CouchDB administrative users can configure the database server via HTTP(S)
CVE-2018-8007
7.2 - High
- July 11, 2018
Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2.
Improper Input Validation
Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface (aka Futon) in Apache CouchDB 0.8.0 through 1.0.1
CVE-2010-3854
- February 02, 2011
Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface (aka Futon) in Apache CouchDB 0.8.0 through 1.0.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Couchdb or by Apache? Click the Watch button to subscribe.
