Google Git
Sign in
apache / couchdb-documentation / c7dc68612bb5fd3fc3198cbf95d053a787960f29^! / .
commitc7dc68612bb5fd3fc3198cbf95d053a787960f29[log] [tgz]
authorJoan Touzet <wohali@users.noreply.github.com>Tue May 19 16:34:57 2020 +0000
committerGitHub <noreply@github.com>Tue May 19 12:34:57 2020 -0400
tree65cab1e9c03bb01db941759d398ecc49929a4cd6
parent27482e752bdcb33559ed58ad0147bba95760f7fd [diff]
3.0.x cve (#544)

* feat: new cve, woop

* Update src/cve/2020-1955.rst

Co-authored-by: Jonathan Hall <flimzy@flimzy.com>

* Update src/cve/2020-1955.rst

Co-authored-by: Jonathan Hall <flimzy@flimzy.com>

* Update src/cve/2020-1955.rst

* Update src/cve/2020-1955.rst

* Remove 3.1.0 reference

Co-authored-by: Jan Lehnardt <jan@apache.org>
Co-authored-by: Jonathan Hall <flimzy@flimzy.com>
diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst
new file mode 100644
index 0000000..a8c63f8
--- /dev/null
+++ b/src/cve/2020-1955.rst

@@ -0,0 +1,59 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2020-1955:
+
+===========================================================
+CVE-2020-1955: Apache CouchDB Remote Privilege Escalation
+===========================================================
+
+:Date: 19.05.2020
+
+:Affected: 3.0.0
+
+:Severity: Medium
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+CouchDB version 3.0.0 shipped with a new configuration setting that
+governs access control to the entire database server called
+`require_valid_user_except_for_up`. It was meant as an extension to the
+long-standing setting `require_valid_user`, which in turn requires that
+any and all requests to CouchDB will have to be made with valid
+credentials, effectively forbidding any anonymous requests.
+
+The new `require_valid_user_except_for_up` is an off-by-default setting
+that was meant to allow requiring valid credentials for all endpoints
+except for the `/_up` endpoint.
+
+However, the implementation of this made an error that lead to not
+enforcing credentials on any endpoint, when enabled.
+
+CouchDB versions :ref:`3.0.1 <release/3.0.1>` and 3.1.0
+fix this issue.
+
+Mitigation
+==========
+
+Users who have not enabled `require_valid_user_except_for_up` are not
+affected.
+
+Users who have it enabled can either disable it again, or upgrade to
+CouchDB versions :ref:`3.0.1 <release/3.0.1>` and 3.1.0.
+
+Credit
+======
+
+This issue was discovered by Stefan Klein.