CVE-2023-26268

CWE-200 — Information Exposure4 documents4 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 85.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Couchdb Apache Software Foundation Apache Couchdb Apache Software Foundation IBM Cloudant +1 more

Timeline

PublishedMay 2

Description

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using desig…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.7

Affected Packages4 packages

▶NVDapache/couchdb3.3.0 — 3.3.2+1

▶CVEListV5apache_software_foundation/apache_couchdb3.3.1

▶CVEListV5apache_software_foundation/ibm_cloudant8349

▶NVDibm/cloudant8349

🔴Vulnerability Details

CVEList

Apache CouchDB, IBM Cloudant: Information sharing via couchjs processes↗2023-05-02

▶

GHSA

GHSA-97qc-h8j3-mgv9: Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design do↗2023-05-02

▶

OSV

CVE-2023-26268: Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design do↗2023-05-02

▶