CVE-2020-9039
published 2020-02-22CVE-2020-9039: Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.84%
88.8th percentile
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | — | — |
| couchbase | couchbase_server | 4.6.0 – 4.6.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send an unauthenticated HTTP GET to /settings on the projector process port; a 200 response containing 'indexer.settings', 'projector.settings', or 'max_seckey_size' in the body confirms the vulnerable unauthenticated REST endpoint. ↗
- →Also probe /indexer/settings with an unauthenticated GET; same response body indicators apply. ↗
- →Shodan fingerprinting for exposed Couchbase instances can be performed using the query html:"Couchbase". ↗
- →The /settings REST endpoint is exposed by the projector process and allows unauthenticated access to administrative APIs including configuration updates and performance profile collection. ↗
- ·Affected versions are specifically 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0–4.6.5, 5.0.0, 5.1.1, 5.5.0, and 5.5.1. Detection should be scoped to these versions to avoid false positives on patched deployments. ↗
- ·The Nuclei template is marked verified: false — detections should be manually confirmed before treating results as true positives. ↗
- ·The template uses stop-at-first-match, so only the first matching path (/settings or /indexer/settings) will be reported per target; both endpoints should be independently tested for full coverage. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Couchbase Server - Broken Access Control
nuclei·CVSS 9.8
CVE-2020-9039 [CRITICAL] Couchbase Server - Broken Access Control
Couchbase Server - Broken Access Control
Couchbase Server versions 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0-4.6.5, 5.0.0, 5.1.1, 5.5.0, and 5.5.1 contain insecure permissions for the projector and indexer REST endpoints caused by unauthenticated access, letting attackers access administrative APIs without authentication, exploit requires no special conditions.
Template:
id: CVE-2020-9039
info:
name: Couchbase Server - Broken Access Control
author: pussycat0x
severity: critical
description: |
Couchbase Server versions 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0-4.6.5, 5.0.0, 5.1.1, 5.5.0, and 5.5.1 contain insecure permissions for the projector and indexer REST endpoints caused by unauthenticated access, letting attackers access administrative APIs without authentication, exploit requires n
No writeups or analysis indexed.
2020-02-22
Published