Publish CVE-2023-45725
diff --git a/src/docs/src/cve/2023-45725.rst b/src/docs/src/cve/2023-45725.rst
new file mode 100644
index 0000000..bf9dd65
--- /dev/null
+++ b/src/docs/src/cve/2023-45725.rst
@@ -0,0 +1,105 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2023-45725:
+
+===========================================================================
+CVE-2023-45725: Apache CouchDB: Privilege Escalation Using Design Documents
+===========================================================================
+
+:Date: 12.12.2023
+
+:Affected: 3.3.2 and below
+
+:Severity: Medium
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+Design document functions which receive a user http request object may expose
+authorization or session cookie headers of the user who accesses the document.
+
+These design document functions are:
+ * list
+ * show
+ * rewrite
+ * update
+
+An attacker can leak the session component using an HTML-like output, insert
+the session as an external resource (such as an image), or store the credential
+in a ``_local`` document with an "update" function.
+
+For the attack to succeed the attacker has to be able to insert the design
+documents into the database, then manipulate a user to access a function from
+that design document.
+
+Mitigation
+==========
+
+CouchDB :ref:`3.3.3 <release/3.3.3>` scrubs the sentive headers from http
+request objects passed to the query server execution environment.
+
+For versions older than :ref:`3.3.3 <release/3.3.3>` this patch applied to the
+``loop.js`` file would also mitigate the issue:
+
+.. code-block:: diff
+
+ diff --git a/share/server/loop.js b/share/server/loop.js
+ --- a/share/server/loop.js
+ +++ b/share/server/loop.js
+ @@ -49,6 +49,20 @@ function create_nouveau_sandbox() {
+ return sandbox;
+ }
+
+ +function scrubReq(args) {
+ + var req = args.pop()
+ + if (req.method && req.headers && req.peer && req.userCtx) {
+ + delete req.cookie
+ + for (var p in req.headers) {
+ + if (req.headers.hasOwnProperty(p) && ["authorization", "cookie"].indexOf(p.toLowerCase()) !== -1) {
+ + delete req.headers[p]
+ + }
+ + }
+ + }
+ + args.push(req)
+ + return args
+ +}
+ +
+ // Commands are in the form of json arrays:
+ // ["commandname",..optional args...]\n
+ //
+ @@ -85,7 +99,7 @@ var DDoc = (function() {
+ var funPath = args.shift();
+ var cmd = funPath[0];
+ // the first member of the fun path determines the type of operation
+ - var funArgs = args.shift();
+ + var funArgs = scrubReq(args.shift());
+ if (ddoc_dispatch[cmd]) {
+ // get the function, call the command with it
+ var point = ddoc;
+
+Workarounds
+===========
+
+Avoid using design documents from untrusted sources which may attempt to access
+or manipulate request object's headers.
+
+Credit
+======
+
+This issue was found by Natan Nehorai and reported by Or Peles from the JFrog
+Vulnerability Research Team.
+
+It was also independently found by Richard Ellis and Mike Rhodes from
+IBM/Cloudant.
