CVE-2018-11769

6 documents5 sources

Severity

7.2HIGH

EPSS

6.1%

top 9.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Couchdb Apache Software Foundation Apache Couchdb

Timeline

PublishedAug 8

Latest updateMay 13

Description

CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin use…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/couchdb< 2.2.0

▶CVEListV5apache_software_foundation/apache_couchdbApache Tomcat 1.x and =2.1.2

🔴Vulnerability Details

GHSA

GHSA-33mm-q6vp-mvmv: CouchDB administrative users before 2↗2022-05-13

▶

CVEList

CVE-2018-11769: CouchDB administrative users before 2↗2018-08-08

▶

OSV

CVE-2018-11769: CouchDB administrative users before 2↗2018-08-08

▶

💬Community

Bugzilla

CVE-2018-11769 couchdb: Possible privilege escalation by couchdb administrator to system couchdb user [fedora-all]↗2018-12-18

▶

Bugzilla

CVE-2018-11769 couchdb: Possible privilege escalation by couchdb administrator to system couchdb user↗2018-12-18

▶