PT-2021-16722 · Couchbase · Couchbase Server

Published

2021-05-19

Updated

2021-05-25

CVE-2021-25644

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Couchbase Server versions 5.x through 6.6.1 Couchbase Server version 7.0.0 Beta

Description An issue in Couchbase Server allows incorrect commands to the REST API to result in leaked authentication information. This information is stored in cleartext in the debug.log and info.log files and is also visible to administrators in the UI.

Recommendations For Couchbase Server versions 5.x through 6.6.1, consider restricting access to the debug.log and info.log files to minimize the risk of exploitation. For Couchbase Server version 7.0.0 Beta, avoid using the REST API until the issue is resolved. As a temporary workaround, consider disabling the REST API functionality until a patch is available.

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

CVE-2021-25644

Affected Products

Couchbase Server

PT-2021-16722 · Couchbase · Couchbase Server

CVE-2021-25644

Weakness Enumeration

Related Identifiers

Affected Products

References · 4