PT-2016-3266 · Apache · Pouchdb

Published

2016-10-17

Updated

2019-10-09

CVE-2016-10546

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions PouchDB versions prior to 6.0.5

Description A code injection vector was found in the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed, allowing an attacker to run arbitrary JavaScript as well as system commands. This issue is related to insufficient control of code generation. Under certain circumstances, an attacker could use this to run arbitrary code on the server.

Recommendations Update to version 6.0.5 or later. As a temporary workaround, consider disabling the map/reduce functions for temporary views and design documents until a patch is available.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2018-00915

CVE-2016-10546

GHSA-CGQV-X5CX-XVQH

Affected Products

Pouchdb

PT-2016-3266 · Apache · Pouchdb

CVE-2016-10546

Weakness Enumeration

Related Identifiers

Affected Products

References · 7