Vulnerabilities > Couchbase > Couchbase Server
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-08 | CVE-2020-9041 | Improper Resource Shutdown or Release vulnerability in Couchbase Server and Sync Gateway In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections. | 7.5 |
| 2020-02-22 | CVE-2020-9039 | Incorrect Default Permissions vulnerability in Couchbase Server Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. | 9.8 |
| 2019-09-10 | CVE-2019-11497 | Improper Certificate Validation vulnerability in Couchbase Server 5.0.0 In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. | 7.5 |
| 2019-09-10 | CVE-2019-11496 | Missing Authentication for Critical Function vulnerability in Couchbase Server In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. | 9.1 |
| 2019-09-10 | CVE-2019-11495 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Couchbase Server 5.1.1 In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. | 9.8 |
| 2019-09-10 | CVE-2019-11467 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Couchbase Server 4.6.3/5.5.0 In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. | 7.5 |
| 2019-09-10 | CVE-2019-11466 | Missing Authentication for Critical Function vulnerability in Couchbase Server 5.5.0/6.0.0 In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. | 5.3 |
| 2019-09-10 | CVE-2019-11465 | Information Exposure Through Log Files vulnerability in Couchbase Server An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. | 5.3 |
| 2019-09-10 | CVE-2019-11464 | Cross-site Scripting vulnerability in Couchbase Server 5.1.2/5.5.0 Some enterprises require that REST API endpoints include security-related headers in REST responses. | 6.1 |
| 2018-08-24 | CVE-2018-15728 | Code Injection vulnerability in Couchbase Server Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. | 8.8 |