Vulnerabilities > Apache > Couchdb > 0.11.1

DATE CVE VULNERABILITY TITLE RISK
2023-12-13 CVE-2023-45725 Unspecified vulnerability in Apache Couchdb
Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: *   list *   show *   rewrite *   update An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function. For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document. Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers
network
low complexity
apache
5.7
2023-05-02 CVE-2023-26268 Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.
network
low complexity
apache ibm
5.3
2022-04-26 CVE-2022-24706 Insecure Default Initialization of Resource vulnerability in Apache Couchdb
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
network
low complexity
apache CWE-1188
critical
9.8
2021-10-14 CVE-2021-38295 Cross-site Scripting vulnerability in Apache Couchdb
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document.
local
low complexity
apache CWE-79
7.3
2019-01-02 CVE-2018-17188 Unspecified vulnerability in Apache Couchdb
Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database.
network
low complexity
apache
7.2
2018-08-08 CVE-2018-11769 Unspecified vulnerability in Apache Couchdb
CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S).
network
low complexity
apache
7.2
2018-07-11 CVE-2018-8007 Improper Input Validation vulnerability in Apache Couchdb
Apache CouchDB administrative users can configure the database server via HTTP(S).
network
low complexity
apache CWE-20
7.2
2017-11-14 CVE-2017-12636 OS Command Injection vulnerability in Apache Couchdb
CouchDB administrative users can configure the database server via HTTP(S).
network
low complexity
apache CWE-78
7.2
2017-11-14 CVE-2017-12635 Improper Privilege Management vulnerability in Apache Couchdb
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users.
network
low complexity
apache CWE-269
critical
9.8
2014-05-23 CVE-2012-5649 Code Injection vulnerability in Apache Couchdb
Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash.
network
apache CWE-94
6.8