CVE-2020-1955Missing Authentication for Critical Function in Software Foundation Apache Couchdb

CWE-306Missing Authentication for Critical FunctionCWE-269Improper Privilege ManagementCWE-22Path TraversalCWE-79Cross-site Scripting7 documents5 sources
Severity
9.8CRITICALNVD
EPSS
1.9%
top 16.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CouchdbApache Couchdb
Timeline
PublishedMay 20
Latest updateJun 24

Description

CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called `require_valid_user_except_for_up`. It was meant as an extension to the long standing setting `require_valid_user`, which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests. The new `require_valid_user_except_for_up` is an off-by-default setting that was meant to allow requirin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDapache/couchdb3.0.0
CVEListV5apache_software_foundation/apache_couchdbApache CouchDB 3.0.0

🔴Vulnerability Details

3
GHSA
Cross-site Scripting vulnerability in Jenkins2022-06-24
GHSA
GHSA-6625-2573-pv96: CouchDB version 32022-05-24
CVEList
CVE-2020-1955: CouchDB version 32020-05-20

💬Community

3
Bugzilla
CVE-2020-2229 jenkins: user-specified tooltip values leads to stored cross-site scripting2020-09-02
Bugzilla
CVE-2020-1955 couchdb: remote privilege escalation when require_valid_user_except_for_up setting is enable [fedora-all]2020-05-26
Bugzilla
CVE-2020-1955 couchdb: remote privilege escalation when require_valid_user_except_for_up setting is enable2020-05-26
CVE-2020-1955 — CRITICAL severity | cvebase