Couchbase Server vulnerabilities
62 known vulnerabilities affecting couchbase/couchbase_server.
Total CVEs
62
CISA KEV
3
actively exploited
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL8HIGH31MEDIUM23
Vulnerabilities
Page 2 of 4
CVE-2021-25644P3HIGHCVSS 7.5≥ 5.0.0, ≤ 6.6.1v7.0.02021-05-19
CVE-2021-25644 [HIGH] CWE-312 CVE-2021-25644: An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect comm
An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to administrators.
nvd
CVE-2023-50782P3HIGHCVSS 7.5v7.6.0v7.6.12024-02-05
CVE-2023-50782 [HIGH] CWE-203 CVE-2023-50782: A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decry
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
nvd
CVE-2023-43768P3HIGHCVSS 7.5≥ 6.6.0, < 7.1.5v7.2.02024-03-27
CVE-2023-43768 [HIGH] CWE-770 CVE-2023-43768: An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthentic
An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands.
nvd
CVE-2021-42763P3HIGHCVSS 7.5fixed in 4.6.0≥ 5.0.0, < 6.1.0+3 more2021-11-02
CVE-2021-42763 [HIGH] CWE-312 CVE-2021-42763: Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The is
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing th
nvd
CVE-2020-9042P3HIGHCVSS 8.8v6.0.02020-06-08
CVE-2020-9042 [HIGH] CWE-352 CVE-2020-9042: In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an
In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request.
nvd
CVE-2022-32564P3HIGHCVSS 7.5fixed in 7.0.42022-06-13
CVE-2022-32564 [HIGH] CVE-2022-32564: An issue was discovered in Couchbase Server before 7.0.4. In couchbase-cli, server-eshell leaks the
An issue was discovered in Couchbase Server before 7.0.4. In couchbase-cli, server-eshell leaks the Cluster Manager cookie.
nvd
CVE-2022-32192P3HIGHCVSS 7.5≥ 5.0.0, < 7.0.42022-06-13
CVE-2022-32192 [HIGH] CWE-200 CVE-2022-32192: Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor
Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.
nvd
CVE-2024-23302P3HIGHCVSS 7.5fixed in 7.2.42024-02-29
CVE-2024-23302 [HIGH] CWE-200 CVE-2024-23302: Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.
Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.
nvd
CVE-2021-37842P3HIGHCVSS 7.5v7.0.0v7.0.12021-11-02
CVE-2021-37842 [HIGH] CWE-312 CVE-2021-37842: metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it.
nvd
CVE-2022-32558P3HIGHCVSS 7.5≥ 6.6.0, ≤ 6.6.3v7.0.0+3 more2022-06-13
CVE-2022-32558 [HIGH] CVE-2022-32558: An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal us
An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure.
nvd
CVE-2022-33173P3HIGHCVSS 7.5≥ 6.6.0, < 7.0.42022-07-12
CVE-2022-33173 [HIGH] CVE-2022-33173: An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links
An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS connection to determine the TLS port number, using SCRAM-SHA instead.
nvd
CVE-2022-32556P3HIGHCVSS 7.5≥ 3.0.0, < 7.1.12022-07-21
CVE-2022-32556 [HIGH] CWE-532 CVE-2022-32556: An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files w
An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes.
nvd
CVE-2023-25016P3HIGHCVSS 7.5≥ 2.0.0, < 6.6.6≥ 7.0.0, < 7.0.5+1 more2023-02-06
CVE-2023-25016 [HIGH] CWE-319 CVE-2023-25016: Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Informatio
Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor.
nvd
CVE-2022-32560P3HIGHCVSS 7.5≥ 4.0.0, < 7.0.42022-06-13
CVE-2022-32560 [HIGH] CWE-862 CVE-2022-32560: An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing int
An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings.
nvd
CVE-2023-45875P3HIGHCVSS 7.5v7.2.02023-11-08
CVE-2023-45875 [HIGH] CWE-200 CVE-2023-45875: An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while ad
An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster.
nvd
CVE-2019-11467P3HIGHCVSS 7.5v4.6.3v5.5.02019-09-10
CVE-2019-11467 [HIGH] CWE-119 CVE-2019-11467: In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using coll
In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain certain characters like \t, , it caused buffer overrun as encoded string would be much larger than accounted for, causing indexer service to crash and restart. This has been remedied in versions 5.1.2 and 5.5.2 to ens
nvd
CVE-2022-32565P3HIGHCVSS 7.5≥ 7.0.0, < 7.1.02022-06-13
CVE-2022-32565 [HIGH] CWE-532 CVE-2022-32565: An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted us
An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids.
nvd
CVE-2019-11497P3HIGHCVSS 7.5v5.0.02019-09-10
CVE-2019-11497 [HIGH] CWE-295 CVE-2019-11497: In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the ref
In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the remote cluster. This has been fixed in version 5.5.0. XDCR now checks the va
nvd
CVE-2021-31158P3MEDIUMCVSS 6.5≥ 6.5.0, < 6.6.22021-05-19
CVE-2021-31158 [MEDIUM] CWE-863 CVE-2021-31158: In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queri
In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access.
nvd
CVE-2020-9041P4HIGHCVSS 7.5v6.0.32020-06-08
CVE-2020-9041 [HIGH] CWE-404 CVE-2020-9041: In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, q
In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections.
nvd