Resource exhaustion in Couchbase Server - CVE-2019-11467
Published: September 10, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35510
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-11467
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Couchbase
Affected software:
Couchbase Server
Couchbase Server
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain certain characters like , <, >, it caused buffer overrun as encoded string would be much larger than accounted for, causing indexer service to crash and restart. This has been remedied in versions 5.1.2 and 5.5.2 to ensure buffer always grows as needed for any input.
How to mitigate CVE-2019-11467
Install update from vendor's website.