CVE-2020-9039

Name of the Vulnerable Software and Affected Versions Couchbase Server versions 4.0.0 through 4.6.5 Couchbase Server versions 5.0.0 through 5.5.1

Description The issue concerns Insecure Permissions for the projector and indexer REST endpoints, allowing unauthenticated access. Specifically, the /settings REST endpoint, used by administrators for tasks like updating configuration and collecting performance profiles, was initially unauthenticated but has been updated to require authentication for access to these administrative APIs.

Recommendations For Couchbase Server versions 4.0.0 through 4.6.5, update the configuration to only allow authenticated users to access the administrative APIs. For Couchbase Server versions 5.0.0 through 5.5.1, update the configuration to only allow authenticated users to access the administrative APIs. As a temporary workaround, consider restricting access to the /settings REST endpoint until a patch is available.