Main Vulnerability Database Vulnerabilities #VU75675

#VU75675 Improper access control in CouchDB - CVE-2023-26268

Published: May 2, 2023

Vulnerability identifier: #VU75675

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-26268

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
CouchDB

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the couchjs processes. Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions:

validate_doc_update
list
filter
filter views (using view functions as filters)
rewrite
update

Remediation

Install updates from vendor's website.

External links

http://docs.couchdb.org/en/stable/cve/2023-26268.html

#VU75675 Improper access control in CouchDB - CVE-2023-26268

Description

Remediation

External links

Please verify you're human