Main Vulnerability Database SB2020022202

SB2020022202 - Incorrect default permissions in Couchbase Server

Published: February 22, 2020 Updated: August 8, 2020

Security Bulletin ID SB2020022202

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Incorrect default permissions (CVE-ID: CVE-2020-9039)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.

Remediation

Install update from vendor's website.

References

https://www.couchbase.com/resources/security#SecurityAlerts