CVE-2021-38295

Name of the Vulnerable Software and Affected Versions: Apache CouchDB versions prior to 3.1.2

Description: A malicious user with permission to create documents in a database can attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. This issue allows an attacker to add or remove data in any database or make configuration changes.

Recommendations: For versions prior to 3.1.2, update to version 3.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to HTML attachments in the CouchDB admin interface Fauxton to minimize the risk of exploitation. Avoid using the deprecated show and list functionality until the issue is resolved.