9

CVE-2018-11769

EPSS 6.35%
Published 08.08.2018 15:29:00
Last modified 21.11.2024 03:43:59
Source security@apache.org
Teams watchlist Login
Open Login

CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user under which CouchDB runs, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows a CouchDB admin user to gain arbitrary remote code execution, bypassing CVE-2017-12636 and CVE-2018-8007.

Affected products Warnungen 0 Metrics 3 CWE 0 References 9

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Couchdb Version < 2.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	6.35%	0.907

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/

https://security.gentoo.org/glsa/201812-06

Third Party Advisory

http://www.securityfocus.com/bid/105046

Third Party Advisory

VDB Entry

https://lists.apache.org/thread.html/1052ad7a1b32b9756df4f7860f5cb5a96b739f444117325a19a4bf75%40%3Cdev.couchdb.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2018-11769

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-11769

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-11769

EUVD