CVE-2022-24706

critical

Description

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

References

https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd

https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00

https://docs.couchdb.org/en/3.2.2/setup/cluster.html

http://www.openwall.com/lists/oss-security/2022/05/09/4

http://www.openwall.com/lists/oss-security/2022/05/09/3

http://www.openwall.com/lists/oss-security/2022/05/09/2

http://www.openwall.com/lists/oss-security/2022/05/09/1

http://www.openwall.com/lists/oss-security/2022/04/26/1

http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html

http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2022-04-26

Updated: 2024-06-28

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical