Vulnerabilities > Apache > Couchdb > 0.8.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-13 | CVE-2023-45725 | Unspecified vulnerability in Apache Couchdb Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: * list * show * rewrite * update An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function. For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document. Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers | 5.7 |
| 2023-05-02 | CVE-2023-26268 | Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment. | 5.3 |
| 2022-04-26 | CVE-2022-24706 | Insecure Default Initialization of Resource vulnerability in Apache Couchdb In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. | 9.8 |
| 2021-10-14 | CVE-2021-38295 | Cross-site Scripting vulnerability in Apache Couchdb In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. | 7.3 |
| 2019-01-02 | CVE-2018-17188 | Unspecified vulnerability in Apache Couchdb Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. | 7.2 |
| 2018-08-08 | CVE-2018-11769 | Unspecified vulnerability in Apache Couchdb CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). | 7.2 |
| 2018-07-11 | CVE-2018-8007 | Improper Input Validation vulnerability in Apache Couchdb Apache CouchDB administrative users can configure the database server via HTTP(S). | 7.2 |
| 2017-11-14 | CVE-2017-12636 | OS Command Injection vulnerability in Apache Couchdb CouchDB administrative users can configure the database server via HTTP(S). | 7.2 |
| 2017-11-14 | CVE-2017-12635 | Improper Privilege Management vulnerability in Apache Couchdb Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. | 9.8 |