Vulnerabilities > Couchbase > Couchbase Server

DATE CVE VULNERABILITY TITLE RISK
2020-11-12 CVE-2020-24719 OS Command Injection vulnerability in Couchbase Server 6.5.1
Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack.
network
low complexity
couchbase CWE-78
critical
10.0
2020-06-08 CVE-2020-9042 Cross-Site Request Forgery (CSRF) vulnerability in Couchbase Server 6.0.0
In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request.
network
couchbase CWE-352
6.8
2020-06-08 CVE-2020-9041 Improper Resource Shutdown or Release vulnerability in Couchbase Server and Sync Gateway
In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections.
network
low complexity
couchbase CWE-404
5.0
2020-02-22 CVE-2020-9039 Incorrect Default Permissions vulnerability in Couchbase Server
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles.
network
low complexity
couchbase CWE-276
7.5
2019-09-10 CVE-2019-11497 Improper Certificate Validation vulnerability in Couchbase Server 5.0.0
In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature.
network
low complexity
couchbase CWE-295
5.0
2019-09-10 CVE-2019-11496 Missing Authentication for Critical Function vulnerability in Couchbase Server 4.0.0/4.6.3/5.0.0
In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication.
network
low complexity
couchbase CWE-306
6.4
2019-09-10 CVE-2019-11495 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Couchbase Server 5.1.1
In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely.
network
low complexity
couchbase CWE-335
critical
9.8
2019-09-10 CVE-2019-11467 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Couchbase Server 4.6.3/5.5.0
In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson.
network
low complexity
couchbase CWE-119
7.8
2019-09-10 CVE-2019-11466 Missing Authentication for Critical Function vulnerability in Couchbase Server 5.5.0/6.0.0
In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only.
network
low complexity
couchbase CWE-306
5.0
2019-09-10 CVE-2019-11465 Information Exposure Through Discrepancy vulnerability in Couchbase Server
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0.
network
low complexity
couchbase CWE-203
5.0