Input validation error in Couchbase Server - CVE-2019-11465
Published: September 10, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35514
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-11465
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Couchbase
Affected software:
Couchbase Server
Couchbase Server
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted.
How to mitigate CVE-2019-11465
Install update from vendor's website.