cbcvebase.
CVE-2020-9039
published 2020-02-22

CVE-2020-9039: Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.84%
88.8th percentile
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.

Affected

10 ranges
VendorProductVersion rangeFixed in
couchbasecouchbase_server
couchbasecouchbase_server
couchbasecouchbase_server
couchbasecouchbase_server
couchbasecouchbase_server
couchbasecouchbase_server
couchbasecouchbase_server
couchbasecouchbase_server
couchbasecouchbase_server
couchbasecouchbase_server4.6.0 – 4.6.5

Detection & IOCsextracted from sources · hover to see the quote

url/settings
url/indexer/settings
otherindexer.settings
otherprojector.settings
othermax_seckey_size
  • Send an unauthenticated HTTP GET to /settings on the projector process port; a 200 response containing 'indexer.settings', 'projector.settings', or 'max_seckey_size' in the body confirms the vulnerable unauthenticated REST endpoint.
  • Also probe /indexer/settings with an unauthenticated GET; same response body indicators apply.
  • Shodan fingerprinting for exposed Couchbase instances can be performed using the query html:"Couchbase".
  • The /settings REST endpoint is exposed by the projector process and allows unauthenticated access to administrative APIs including configuration updates and performance profile collection.
  • ·Affected versions are specifically 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0–4.6.5, 5.0.0, 5.1.1, 5.5.0, and 5.5.1. Detection should be scoped to these versions to avoid false positives on patched deployments.
  • ·The Nuclei template is marked verified: false — detections should be manually confirmed before treating results as true positives.
  • ·The template uses stop-at-first-match, so only the first matching path (/settings or /indexer/settings) will be reported per target; both endpoints should be independently tested for full coverage.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.