cbcvebase.

Couchbase Server vulnerabilities

62 known vulnerabilities affecting couchbase/couchbase_server.

Total CVEs
62
CISA KEV
3
actively exploited
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL8HIGH31MEDIUM23

Vulnerabilities

Page 3 of 4
CVE-2022-32193P4MEDIUMCVSS 6.5≥ 6.6.0, ≤ 6.6.3v7.0.0+3 more2022-06-13
CVE-2022-32193 [MEDIUM] CWE-532 CVE-2022-32193: Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Act Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.
nvd
CVE-2024-56178P4MEDIUMCVSS 6.5≥ 7.6.0, ≤ 7.6.32025-01-27
CVE-2024-56178 [MEDIUM] CWE-281 CVE-2024-56178: An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_loca An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role.
nvd
CVE-2024-37034P4MEDIUMCVSS 5.9≥ 6.0.0, < 7.2.5v7.6.02024-07-26
CVE-2024-37034 [MEDIUM] CWE-326 CVE-2024-37034: An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure.
nvd
CVE-2023-28470P4MEDIUMCVSS 5.3≥ 6.6.0, < 7.1.42023-03-23
CVE-2023-28470 [MEDIUM] CWE-306 CVE-2023-28470: In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authenticat In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication.
nvd
CVE-2024-25673P4MEDIUMCVSS 6.1≥ 2.0.0, < 7.2.6≥ 7.6.0, < 7.6.22024-09-19
CVE-2024-25673 [MEDIUM] CWE-74 CVE-2024-25673: Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host h Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.
nvd
CVE-2021-27924P4MEDIUMCVSS 5.9≥ 6.0.0, < 6.6.22021-05-19
CVE-2021-27924 [MEDIUM] CWE-319 CVE-2021-27924: An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires.
nvd
CVE-2022-34826P4MEDIUMCVSS 5.9v7.1.02022-07-15
CVE-2022-34826 [MEDIUM] CWE-532 CVE-2022-34826: In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the log In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.
nvd
CVE-2019-11466P4MEDIUMCVSS 5.3v5.5.0v6.0.02019-09-10
CVE-2019-11466 [MEDIUM] CWE-306 CVE-2019-11466: In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an H In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access.
nvd
CVE-2023-49932P4MEDIUMCVSS 5.4≥ 5.0.0, < 7.2.42024-02-29
CVE-2023-49932 [MEDIUM] CWE-281 CVE-2023-49932: An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL hos An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL host restrictions.
nvd
CVE-2023-45873P4MEDIUMCVSS 6.5fixed in 7.2.32024-02-28
CVE-2023-45873 [MEDIUM] CWE-770 CVE-2023-45873: An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of servi An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer.
nvd
CVE-2023-43769P4MEDIUMCVSS 6.3≥ 6.0.0, < 7.2.42024-02-29
CVE-2023-43769 [MEDIUM] CVE-2023-43769: An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are U An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Ports Exposed in Analytics.
nvd
CVE-2019-11464P4MEDIUMCVSS 6.1v5.1.2v5.5.02019-09-10
CVE-2019-11464 [MEDIUM] CWE-79 CVE-2019-11464: Some enterprises require that REST API endpoints include security-related headers in REST responses. Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and X-XSS-Protection, which are more generally applicable to HT
nvd
CVE-2019-11465P4MEDIUMCVSS 5.3≥ 5.5.0, ≤ 5.5.3v6.0.02019-09-10
CVE-2019-11465 [MEDIUM] CWE-532 CVE-2019-11465: An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connection An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fi
nvd
CVE-2023-50436P4MEDIUMCVSS 5.3≥ 7.1.5, < 7.2.42024-02-29
CVE-2023-50436 [MEDIUM] CWE-522 CVE-2023-50436: An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in encoded form in the diag.log file. The earliest affected version is 7.1.5.
nvd
CVE-2021-33504P4MEDIUMCVSS 4.9≥ 2.0.0, < 7.1.02022-06-02
CVE-2021-33504 [MEDIUM] CVE-2021-33504: Couchbase Server before 7.1.0 has Incorrect Access Control. Couchbase Server before 7.1.0 has Incorrect Access Control.
nvd
CVE-2022-33911P4MEDIUMCVSS 5.3≥ 6.5.0, < 7.0.42022-07-12
CVE-2022-33911 [MEDIUM] CWE-532 CVE-2022-33911: An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information.
nvd
CVE-2022-32561P4MEDIUMCVSS 4.9≥ 5.0.0, < 6.6.5≥ 7.0.0, < 7.0.42022-06-14
CVE-2022-32561 [MEDIUM] CVE-2022-32561: An issue was discovered in Couchbase Server before 6.6.5 and 7.x before 7.0.4. Previous mitigations An issue was discovered in Couchbase Server before 6.6.5 and 7.x before 7.0.4. Previous mitigations for CVE-2018-15728 were found to be insufficient when it was discovered that diagnostic endpoints could still be accessed from the network.
nvd
CVE-2021-25643P4MEDIUMCVSS 4.9≥ 5.0.0, < 6.5.2≥ 6.6.0, < 6.6.22021-05-26
CVE-2021-25643 [MEDIUM] CWE-319 CVE-2021-25643: An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Interna An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth, leak credentials in cleartext in the indexer.log file when they make a /listCreateTokens, /listRebalanceTokens, or /listMetadataTokens call.
nvd
CVE-2022-42950P4MEDIUMCVSS 4.9≥ 7.0.0, < 7.0.5≥ 7.1.0, < 7.1.22023-02-06
CVE-2022-42950 [MEDIUM] CWE-400 CVE-2022-42950: An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service.
nvd
CVE-2021-27925P4MEDIUMCVSS 4.4≥ 6.5.0, < 6.6.22021-05-19
CVE-2021-27925 [MEDIUM] CWE-362 CVE-2021-27925: An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engin An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a crash condition can (depending on a race condition) cause an internal user with administrator privileges, @ns_server, to have its credentials leaked in cleartext in the ns_server.info.log file.
nvd
Couchbase Server vulnerabilities | cvebase