10
CVE-2022-24706
- EPSS 92.34%
- Veröffentlicht 26.04.2022 10:15:35
- Zuletzt bearbeitet 28.10.2025 13:35:43
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Remote Code Execution Vulnerability in Packaging
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
25.08.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
Apache CouchDB Insecure Default Initialization of Resource Vulnerability
SchwachstelleApache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 92.34% | 0.998 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 10 | 10 | 10 |
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-1188 Initialization of a Resource with an Insecure Default
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html
http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html
http://www.openwall.com/lists/oss-security/2022/04/26/1
http://www.openwall.com/lists/oss-security/2022/05/09/1
http://www.openwall.com/lists/oss-security/2022/05/09/2
http://www.openwall.com/lists/oss-security/2022/05/09/3
http://www.openwall.com/lists/oss-security/2022/05/09/4
https://docs.couchdb.org/en/3.2.2/setup/cluster.html
https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706