CVE-2019-11466Missing Authentication for Critical Function in Server

CWE-306Missing Authentication for Critical Function3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.3%
top 51.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Couchbase Server
Timeline
PublishedSep 10
Latest updateMay 24

Description

In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

NVDcouchbase/couchbase_server5.5.0, 6.0.0+1

🔴Vulnerability Details

2
GHSA
GHSA-294h-w6qc-2qx4: An issue was discovered in Couchbase Server 52022-05-24
CVEList
CVE-2019-11466: In Couchbase Server 62019-09-10
CVE-2019-11466 — Couchbase Server vulnerability | cvebase