Apache CouchDB 1.x / 2.1.x <= 2.1.2 Privilege Escalation

High Nessus Plugin ID 111967

Synopsis

The remote database server is potentially affected by a privilege escalation vulnerability.

Description

According to its banner, the version of CouchDB running on the remote host is 1.x or 2.1.x prior to 2.1.2. It is, therefore, potentially affected by a privilege escalation which could allow a CouchDB administrative user to gain remote code execution on the underlying operating system.

Note that Nessus did not actually test for these flaws but instead, has relied on the version in CouchDB's banner.

Solution

Upgrade to CouchDB 2.2.0 or later.

See Also

http://docs.couchdb.org/en/stable/cve/2018-11769.html

Plugin Details

Severity: High

ID: 111967

File Name: couchdb_2_2_0.nasl

Version: 1.3

Type: remote

Family: Databases

Published: 2018/08/17

Updated: 2018/12/07

Dependencies: 51922

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2018-11769

CVSS v2.0

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS v3.0

Base Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:apache:couchdb

Required KB Items: Settings/ParanoidReport, www/couchdb

Patch Publication Date: 2018/08/08

Vulnerability Publication Date: 2018/08/08

Reference Information

CVE: CVE-2018-11769

BID: 105046

IAVB: 2018-B-0099