CVE-2020-1955

Name of the Vulnerable Software and Affected Versions CouchDB version 3.0.0

Description The issue concerns a new configuration setting require valid user except for up in CouchDB, intended to extend the require valid user setting by allowing anonymous requests to the / up endpoint. However, due to an implementation error, enabling this setting results in not enforcing credentials on any endpoint. This affects the security of the database server by allowing unauthorized access.

Recommendations For CouchDB version 3.0.0, update to version 3.0.1 or 3.1.0 to resolve the issue. As a temporary workaround, consider disabling the require valid user except for up setting until the update is applied. Restrict access to the database server to minimize the risk of exploitation. Avoid using the / up endpoint with anonymous requests until the issue is resolved.