Couchbase Server vulnerabilities
62 known vulnerabilities affecting couchbase/couchbase_server.
Total CVEs
62
CISA KEV
3
actively exploited
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL8HIGH31MEDIUM23
Vulnerabilities
Page 1 of 4
CVE-2023-2033P1HIGHCVSS 8.8KEVPoCfixed in 7.1.5v7.2.02023-04-14
CVE-2023-2033 [HIGH] CWE-843 CVE-2023-2033: Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potential
Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
nvd
CVE-2023-3079P1HIGHCVSS 8.8KEVPoCfixed in 7.1.5v7.2.02023-06-05
CVE-2023-3079 [HIGH] CWE-843 CVE-2023-3079: Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potential
Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
nvd
CVE-2024-0519P1HIGHCVSS 8.8KEVPoCfixed in 7.2.52024-01-16
CVE-2024-0519 [HIGH] CWE-787 CVE-2024-0519: Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker
Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
nvd
CVE-2020-24719P2CRITICALCVSS 9.8PoC≥ 6.5.1, < 6.6.02020-11-12
CVE-2020-24719 [CRITICAL] CWE-78 CVE-2020-24719: Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erl
Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie to attach to an Erlang node and run OS level commands on the system ru
nvd
CVE-2020-9039P2CRITICALCVSS 9.8PoC≥ 4.6.0, ≤ 4.6.5v4.0.0+8 more2020-02-22
CVE-2020-9039 [CRITICAL] CWE-276 CVE-2020-9039: Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating co
nvd
CVE-2021-35943P3CRITICALCVSS 9.8≥ 6.5.0, ≤ 6.5.2≥ 6.6.0, < 6.6.32021-09-29
CVE-2021-35943 [CRITICAL] CWE-287 CVE-2021-35943: Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed user
Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.
nvd
CVE-2019-11496P3CRITICALCVSS 9.1≤ 5.0.02019-09-10
CVE-2019-11496 [CRITICAL] CWE-306 CVE-2019-11496: In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that a
In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with sufficient authorization. However, users were allowed unauthenticated
nvd
CVE-2023-49931P3CRITICALCVSS 9.8≥ 5.0.0, < 7.2.42024-02-29
CVE-2023-49931 [CRITICAL] CWE-284 CVE-2023-49931: An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not suf
An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.
nvd
CVE-2019-11495P3CRITICALCVSS 9.8v5.1.12019-09-10
CVE-2019-11495 [CRITICAL] CWE-335 CVE-2019-11495: In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely.
In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute code against a remote system. This has been fixed in version 6.0.0.
nvd
CVE-2023-49930P3CRITICALCVSS 9.8≥ 7.1.5, < 7.2.42024-02-29
CVE-2023-49930 [CRITICAL] CWE-284 CVE-2023-49930: An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficien
An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.
nvd
CVE-2023-50437P3HIGHCVSS 8.6≥ 2.0.0, < 7.2.42024-02-29
CVE-2023-50437 [HIGH] CWE-266 CVE-2023-50437: An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full
An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and engageCluster2.
nvd
CVE-2022-42951P3HIGHCVSS 8.1≥ 6.5.0, < 6.6.6≥ 7.0.0, < 7.0.5+1 more2023-02-06
CVE-2022-42951 [HIGH] CWE-287 CVE-2022-42951: An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.
An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can connect to the cluster manager using default credentials.
nvd
CVE-2022-32562P3HIGHCVSS 8.8≥ 7.0.0, ≤ 7.0.42022-06-13
CVE-2022-32562 [HIGH] CWE-276 CVE-2022-32562: An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection usi
An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission.
nvd
CVE-2025-46619P3HIGHCVSS 7.6≥ 2.0.0, < 7.2.7≥ 7.6.0, < 7.6.42025-04-30
CVE-2025-46619 [HIGH] CWE-284 CVE-2025-46619: A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2
A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or /etc/shadow.
nvd
CVE-2023-36667P3HIGHCVSS 7.5≥ 2.0.0, < 7.1.5v7.2.02023-11-08
CVE-2023-36667 [HIGH] CWE-22 CVE-2023-36667: Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.
Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.
nvd
CVE-2022-32559P3CRITICALCVSS 9.1≥ 4.0.0, < 7.0.42022-06-14
CVE-2022-32559 [CRITICAL] CWE-770 CVE-2022-32559: An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metric
An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.
nvd
CVE-2022-32557P3HIGHCVSS 7.5≥ 4.0.0, < 7.0.42022-06-14
CVE-2022-32557 [HIGH] CWE-306 CVE-2022-32557: An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authent
An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers.
nvd
CVE-2023-49338P3HIGHCVSS 7.5≥ 4.0.0, < 7.2.42024-02-28
CVE-2023-49338 [HIGH] CWE-276 CVE-2023-49338: Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats a
Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.
nvd
CVE-2021-35944P3HIGHCVSS 7.5≥ 6.5.0, ≤ 6.5.2≥ 6.6.0, ≤ 6.6.2+1 more2021-09-29
CVE-2021-35944 [HIGH] CWE-120 CVE-2021-35944: Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted ne
Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.
nvd
CVE-2021-35945P3HIGHCVSS 7.5≥ 4.5.0, ≤ 5.5.6≥ 6.0.0, ≤ 6.0.5+3 more2021-09-29
CVE-2021-35945 [HIGH] CWE-120 CVE-2021-35945: Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted n
Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.
nvd
1 / 4Next →