Main Vulnerability Database Exploits ID:6295 - Exploit for OS command injection in CouchDB - CVE-2017-12636

ID:6295 - Exploit for OS command injection in CouchDB - CVE-2017-12636

Published: June 17, 2021

Vulnerability identifier: #VU14324

Vulnerability risk: High

CVE-ID: CVE-2017-12636

CWE-ID: CWE-78

Exploitation vector: Remote access

Vulnerable software:
CouchDB

Link to public exploit:

https://www.exploit-db.com/exploits/45019/

Vulnerability description

The vulnerability allows a remote administrative attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can configure the database server via HTTP(S) that include(s) paths for operating system-level binaries that are subsequently launched by CouchDB to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version 1.7.0 or 2.1.1.

ID:6295 - Exploit for OS command injection in CouchDB - CVE-2017-12636

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human