PT-2021-23676 · Couchbase · Couchbase Server

Published

2021-11-02

Updated

2021-11-08

CVE-2021-42763

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Couchbase Server versions 6.6.2 and earlier Couchbase Server versions 7.x prior to 7.0.2

Description The issue occurs when the cluster manager forwards an HTTP request from the pluggable UI to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request has the @ user credentials of the node processing the UI request. This results in sensitive information being stored in cleartext.

Recommendations For Couchbase Server versions 6.6.2 and earlier, update to version 6.6.3 or later. For Couchbase Server versions 7.x prior to 7.0.2, update to version 7.0.2 or later. As a temporary workaround, consider restricting access to the pluggable UI to minimize the risk of exploitation.

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

CVE-2021-42763

Affected Products

Couchbase Server

PT-2021-23676 · Couchbase · Couchbase Server

CVE-2021-42763

Weakness Enumeration

Related Identifiers

Affected Products

References · 6