Couchbase Sync Gateway vulnerabilities

5 known vulnerabilities affecting couchbase/sync_gateway.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3

Vulnerabilities

Page 1 of 1
CVE-2025-52490HIGHCVSS 7.3fixed in 3.2.62025-07-29
CVE-2025-52490 [HIGH] CWE-319 CVE-2025-52490: An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sy An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output.
nvd
CVE-2022-32563CRITICALCVSS 9.8≥ 3.0.0, < 3.0.22022-06-10
CVE-2022-32563 [CRITICAL] CWE-295 CVE-2022-32563: An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verifi An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API
nvd
CVE-2021-43963HIGHCVSS 8.1≥ 2.7.0, < 2.8.32021-12-07
CVE-2021-43963 [HIGH] CWE-200 CVE-2021-43963: An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used t An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these credentials to obtain write access. (This issue does not affect clusters where Syn
nvd
CVE-2020-9041HIGHCVSS 7.5≤ 2.7.02020-06-08
CVE-2020-9041 [HIGH] CWE-404 CVE-2020-9041: In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, q In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections.
nvd
CVE-2019-9039CRITICALCVSS 9.8v2.1.22019-06-26
CVE-2019-9039 [CRITICAL] CWE-89 CVE-2019-9039: In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was a In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been a
nvd