CVE-2017-12635

Name of the Vulnerable Software and Affected Versions Apache CouchDB versions prior to 1.7.0 Apache CouchDB versions 2.x prior to 2.1.1

Description The issue is related to differences in the Erlang-based JSON parser and JavaScript-based JSON parser in Apache CouchDB. This can allow a remote attacker, who is not an administrator, to gain access to execute arbitrary shell commands on the server with administrator privileges. The vulnerability enables non-admin users to assign themselves admin roles by submitting users documents with duplicate keys for 'roles' used for access control within the database.

Recommendations For Apache CouchDB versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. For Apache CouchDB versions 2.x prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the users document and limiting the ability of non-admin users to assign themselves roles until a patch is available.