PT-2017-12615 · Apache · Apache Couchdb

Joan Touzet

Publicado

2017-11-14

Atualizado

2019-05-13

CVE-2017-12636

CVSS v2.0

9.0

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache CouchDB versions prior to 1.7.0 Apache CouchDB versions 2.x prior to 2.1.1

Description The issue allows an admin user to execute arbitrary shell commands as the CouchDB user. This can be achieved by configuring the database server via HTTP(S) and specifying paths for operating system-level binaries that are subsequently launched by CouchDB. The admin user can also download and execute scripts from the public internet.

Recommendations For Apache CouchDB versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. For Apache CouchDB versions 2.x prior to 2.1.1, update to version 2.1.1 or later to resolve the issue.

Exploit

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

CVE-2017-12636

DLA-1252-1

SUSE-SU-2018:2578-1

Produtos afetados

Apache Couchdb

PT-2017-12615 · Apache · Apache Couchdb

CVE-2017-12636

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 23