PT-2023-20577 · Apache · Apache Couchdb
Nick Vatamaniuc
·
Published
2023-05-02
·
Updated
2024-03-06
·
CVE-2023-26268
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache CouchDB versions prior to 3.2.3
Apache CouchDB versions prior to 3.3.2
Description
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions:
- validate doc update
- list
- filter
- filter views (using view functions as filters)
- rewrite
- update This doesn't affect map/reduce or search (Dreyfus) index functions.
Recommendations
For versions prior to 3.2.3, upgrade to Apache CouchDB 3.2.3 or later.
For versions prior to 3.3.2, upgrade to Apache CouchDB 3.3.2 or later.
As a temporary workaround, consider avoiding the use of design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Couchdb