CVE-2018-15728

Name of the Vulnerable Software and Affected Versions Couchbase Server versions 4.0.0 through 5.5.1

Description The issue allows authenticated users with the 'Full Admin' role to execute arbitrary Erlang code on the underlying operating system with the privileges of the user running Couchbase. This is possible due to the exposure of the "/diag/eval" endpoint, which is available by default on TCP/8091 and/or TCP/18091.

Recommendations For versions 4.0.0 through 5.5.1, update to version 5.5.2 or 6.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/diag/eval" endpoint until a patch is applied.