| .. Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| .. use this file except in compliance with the License. You may obtain a copy of |
| .. the License at |
| .. |
| .. http://www.apache.org/licenses/LICENSE-2.0 |
| .. |
| .. Unless required by applicable law or agreed to in writing, software |
| .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| .. License for the specific language governing permissions and limitations under |
| .. the License. |
| |
| .. _cve/2020-1955: |
| |
| =========================================================== |
| CVE-2020-1955: Apache CouchDB Remote Privilege Escalation |
| =========================================================== |
| |
| :Date: 19.05.2020 |
| |
| :Affected: 3.0.0 |
| |
| :Severity: Medium |
| |
| :Vendor: The Apache Software Foundation |
| |
| Description |
| =========== |
| |
| CouchDB version 3.0.0 shipped with a new configuration setting that |
| governs access control to the entire database server called |
| `require_valid_user_except_for_up`. It was meant as an extension to the |
| long-standing setting `require_valid_user`, which in turn requires that |
| any and all requests to CouchDB will have to be made with valid |
| credentials, effectively forbidding any anonymous requests. |
| |
| The new `require_valid_user_except_for_up` is an off-by-default setting |
| that was meant to allow requiring valid credentials for all endpoints |
| except for the `/_up` endpoint. |
| |
| However, the implementation of this made an error that lead to not |
| enforcing credentials on any endpoint, when enabled. |
| |
| CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0 |
| <release/3.1.0>` fix this issue. |
| |
| Mitigation |
| ========== |
| |
| Users who have not enabled `require_valid_user_except_for_up` are not |
| affected. |
| |
| Users who have it enabled can either disable it again, or upgrade to |
| CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0 |
| <release/3.1.0>` |
| |
| Credit |
| ====== |
| |
| This issue was discovered by Stefan Klein. |