CVE-2019-9039

Name of the Vulnerable Software and Affected Versions Couchbase Sync Gateway version 2.1.2

Description The issue allows an attacker with access to the Sync Gateway's public REST API to extract sensitive data or call arbitrary N1QL functions through the parameters startkey and endkey on the " all docs" endpoint. By issuing nested queries with CPU-intensive operations, they may cause increased resource usage and denial of service conditions.

Recommendations For Couchbase Sync Gateway version 2.1.2, update to version 2.1.3 or 2.5.0 to resolve the issue. As a temporary workaround, consider blocking external access to the " all docs" REST endpoint to mitigate the risk of exploitation. Restrict access to the startkey and endkey parameters in the " all docs" endpoint to minimize the risk of N1QL injection.