Improper Certificate Validation in Couchbase Server - CVE-2019-11497
Published: September 10, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35512
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-11497
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Couchbase
Affected software:
Couchbase Server
Couchbase Server
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the remote cluster. This has been fixed in version 5.5.0. XDCR now checks the validity of the certificate thoroughly and prevents a remote cluster reference from being created with an invalid certificate.
How to mitigate CVE-2019-11497
Install update from vendor's website.