Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-9039Incorrect Default Permissions in Server

CWE-276Incorrect Default Permissions4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
66.1%
top 1.48%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Couchbase Server
Timeline
PublishedFeb 22
Latest updateMay 24

Description

Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDcouchbase/couchbase_server4.6.04.6.5+9

🔴Vulnerability Details

2
GHSA
GHSA-j2x2-7857-rm23: Couchbase Server 42022-05-24
CVEList
CVE-2020-9039: Couchbase Server 42020-02-22

💥Exploits & PoCs

1
Nuclei
Couchbase Server - Broken Access Control
CVE-2020-9039 — Incorrect Default Permissions in Server | cvebase