Vulnerabilities > Couchbase
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-10 | CVE-2019-11497 | Improper Certificate Validation vulnerability in Couchbase Server 5.0.0 In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. | 7.5 |
| 2019-09-10 | CVE-2019-11496 | Missing Authentication for Critical Function vulnerability in Couchbase Server In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. | 9.1 |
| 2019-09-10 | CVE-2019-11495 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Couchbase Server 5.1.1 In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. | 9.8 |
| 2019-09-10 | CVE-2019-11467 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Couchbase Server 4.6.3/5.5.0 In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. | 7.5 |
| 2019-09-10 | CVE-2019-11466 | Missing Authentication for Critical Function vulnerability in Couchbase Server 5.5.0/6.0.0 In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. | 5.3 |
| 2019-09-10 | CVE-2019-11465 | Information Exposure Through Log Files vulnerability in Couchbase Server An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. | 5.3 |
| 2019-09-10 | CVE-2019-11464 | Cross-site Scripting vulnerability in Couchbase Server 5.1.2/5.5.0 Some enterprises require that REST API endpoints include security-related headers in REST responses. | 6.1 |
| 2019-06-26 | CVE-2019-9039 | SQL Injection vulnerability in Couchbase Sync Gateway 2.1.2 In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. | 9.8 |
| 2018-08-24 | CVE-2018-15728 | Code Injection vulnerability in Couchbase Server Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. | 8.8 |