⚠ Actively exploited
Added to CISA KEV on 2022-08-25. Federal agencies required to patch by 2022-09-15. Required action: Apply updates per vendor instructions..

CVE-2022-24706

CWE-11888 documents8 sources
Severity
9.8CRITICAL
EPSS
94.4%
top 0.03%
CISA KEV
KEV
Added 2022-08-25
Due 2022-09-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Apache CouchdbApache Software Foundation Apache Couchdb
Timeline
PublishedApr 26
KEV addedAug 25
KEV dueSep 15
CISA Required Action: Apply updates per vendor instructions.

Description

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDapache/couchdb< 3.2.2
CVEListV5apache_software_foundation/apache_couchdbApache CouchDB3.2.1

Patches

Patch: www.openwall.comPatch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

3
GHSA
GHSA-vxc9-8m8h-9cp6: In Apache CouchDB prior to 32022-04-27
CVEList
Remote Code Execution Vulnerability in Packaging2022-04-26
VulnCheck
Apache CouchDB Insecure Default Initialization of Resource Vulnerability2022

💥Exploits & PoCs

2
Exploit-DB
Apache CouchDB 3.2.1 - Remote Code Execution (RCE)2022-05-11
Nuclei
CouchDB Erlang Distribution - Remote Command Execution

🔍Detection Rules

1
Suricata
ET EXPLOIT Default Apache CouchDB Erlang Cookie Observed (CVE-2022-24706)2022-05-23

📋Vendor Advisories

1
CISA
Apache CouchDB Insecure Default Initialization of Resource Vulnerability2022-08-25
CVE-2022-24706 (CRITICAL CVSS 9.8) | In Apache CouchDB prior to 3.2.2 | cvebase.io