SB2019091046 - Multiple vulnerabilities in Couchbase Server
Published: September 10, 2019 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2020-9042)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request.
2) Improper Authentication (CVE-ID: CVE-2019-11466)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access.
3) Input validation error (CVE-ID: CVE-2019-11465)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.