Disclose CVE 2018-11769
diff --git a/src/cve/2018-11769.rst b/src/cve/2018-11769.rst
new file mode 100644
index 0000000..7968116
--- /dev/null
+++ b/src/cve/2018-11769.rst
@@ -0,0 +1,60 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2018-11769:
+
+====================================================
+CVE-2018-11769: Apache CouchDB Remote Code Execution
+====================================================
+
+:Date: 08.08.2018
+
+:Affected: Apache CouchDB 1.x and ≤2.1.2
+
+:Severity: Low
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+CouchDB administrative users can configure the database server via HTTP(S). Due
+to insufficient validation of administrator-supplied configuration settings via
+the HTTP API, it is possible for a CouchDB administrator user to escalate their
+privileges to that of the operating system’s user under which CouchDB runs, by
+bypassing the blacklist of configuration settings that are not allowed to be
+modified via the HTTP API.
+
+This privilege escalation effectively allows a CouchDB admin user to gain
+arbitrary remote code execution, bypassing mitigations for
+:ref:`CVE-2017-12636 <cve/2017-12636>` and :ref:`CVE-2018-8007 <cve/2018-8007>`.
+
+Mitigation
+==========
+
+All users should upgrade to CouchDB :ref:`2.2.0 <release/2.2.0>`.
+
+Upgrades from previous 2.x versions in the same series should be seamless.
+
+Users still on CouchDB 1.x should be advised that the Apache CouchDB team no
+longer support 1.x.
+
+In-place mitigation (on any 1.x release, or 2.x prior to 2.2.0) is possible by
+removing the ``_config`` route from the ``default.ini`` file, as follows:
+
+ .. code-block:: text
+
+ [httpd_global_handlers]
+ ;_config = {couch_httpd_misc_handlers, handle_config_req}
+
+or by blocking access to the `/_config` (1.x) or `/_node/*/_config` routes at a reverse
+proxy in front of the service.
diff --git a/src/whatsnew/2.2.rst b/src/whatsnew/2.2.rst
index 6328b4d..ef51172 100644
--- a/src/whatsnew/2.2.rst
+++ b/src/whatsnew/2.2.rst
@@ -86,6 +86,8 @@
This feature never worked in 2.0 for databases, only for shards, making it effectively
useless.
+.. _release/2.2.0:
+
Version 2.2.0
=============
