CVE-2022-32563Improper Certificate Validation in Sync Gateway

CWE-295Improper Certificate Validation5 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 37.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Couchbase Sync Gateway
Timeline
PublishedJun 10
Latest updateJun 11

Description

An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue. A workaround is to replace

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDcouchbase/sync_gateway3.0.03.0.2

🔴Vulnerability Details

4
OSV
Couchbase Sync Gateway admin credentials not verified when using X.509 client cert authentication2022-06-11
GHSA
Couchbase Sync Gateway admin credentials not verified when using X.509 client cert authentication2022-06-11
OSV
CVE-2022-32563: An issue was discovered in Couchbase Sync Gateway 32022-06-10
CVEList
CVE-2022-32563: An issue was discovered in Couchbase Sync Gateway 32022-06-10
CVE-2022-32563 — Improper Certificate Validation | cvebase