CVE-2018-8007

CWE-20 — Improper Input Validation7 documents5 sources

Severity

7.2HIGH

EPSS

18.2%

top 4.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Couchdb Apache Couchdb

Timeline

PublishedJul 11

Latest updateMay 14

Description

Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin …

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_couchdb< 1.7.2+1

▶NVDapache/couchdb2.0.0 — 2.1.1+1

🔴Vulnerability Details

GHSA

GHSA-mqj2-xj98-r5xp: Apache CouchDB administrative users can configure the database server via HTTP(S)↗2022-05-14

▶

CVEList

CVE-2018-8007: Apache CouchDB administrative users can configure the database server via HTTP(S)↗2018-07-11

▶

OSV

CVE-2018-8007: Apache CouchDB administrative users can configure the database server via HTTP(S)↗2018-07-11

▶

💬Community

Bugzilla

CVE-2018-11769 couchdb: Possible privilege escalation by couchdb administrator to system couchdb user↗2018-12-18

▶

Bugzilla

CVE-2018-8007 couchdb: Administrative Privilege Escalation [fedora-all]↗2018-07-13

▶

Bugzilla

CVE-2018-8007 couchdb: Administrative Privilege Escalation↗2018-07-13

▶