| .. Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| .. use this file except in compliance with the License. You may obtain a copy of |
| .. the License at |
| .. |
| .. http://www.apache.org/licenses/LICENSE-2.0 |
| .. |
| .. Unless required by applicable law or agreed to in writing, software |
| .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| .. License for the specific language governing permissions and limitations under |
| .. the License. |
| |
| .. _cve/2018-8007: |
| |
| ==================================================== |
| CVE-2018-8007: Apache CouchDB Remote Code Execution |
| ==================================================== |
| |
| :Date: 30.04.2018 |
| |
| :Affected: All Versions of Apache CouchDB |
| |
| :Severity: Low |
| |
| :Vendor: The Apache Software Foundation |
| |
| Description |
| =========== |
| |
| CouchDB administrative users can configure the database server via HTTP(S). Due |
| to insufficient validation of administrator-supplied configuration settings via |
| the HTTP API, it is possible for a CouchDB administrator user to escalate their |
| privileges to that of the operating system's user that CouchDB runs under, by |
| bypassing the backlist of configuration settings that are not allowed to be |
| modified via the HTTP API. |
| |
| This privilege escalation effectively allows a CouchDB admin user to gain |
| arbitrary remote code execution, bypassing |
| :ref:`CVE-2017-12636 <cve/2017-12636>` |
| |
| Mitigation |
| ========== |
| |
| All users should upgrade to CouchDB :ref:`1.7.2 <release/1.7.2>` or |
| :ref:`2.1.2 <release/2.1.2>`. |
| |
| Upgrades from previous 1.x and 2.x versions in the same series should be |
| seamless. |
| |
| Users on earlier versions, or users upgrading from 1.x to 2.x should consult |
| with upgrade notes. |
| |
| Credit |
| ====== |
| |
| This issue was discovered by Francesco Oddo of `MDSec Labs`_. |
| |
| .. _MDSec Labs: https://www.mdsec.co.uk/ |