CVE-2021-37842

Name of the Vulnerable Software and Affected Versions: Couchbase Server version 7.0.0

Description: The issue arises from the use of cleartext for storage of sensitive information in metakv within Couchbase Server. Specifically, Remote Cluster XDCR credentials can be leaked in debug logs. This occurs when a config key being logged has a tombstone purger time-stamp attached to it. Config key tombstone purging was introduced in Couchbase Server 7.0.0 as a feature.

Recommendations: For Couchbase Server version 7.0.0, consider disabling the logging of config keys with tombstone purger time-stamps to prevent the leakage of Remote Cluster XDCR credentials in debug logs. Restrict access to debug logs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.