CVE-2017-12635 Scanner
Detects 'Remote Privilege Escalation' vulnerability in Apache Software Foundation Apache CouchDB affects v. from 1.2.0 to 1.6.1 and from 2.0.0 to 2.1.0.
Short Info
Level
Critical
Type
Single Scan
Can be used by
Asset Owner
Estimated Time
15 sec
Scan only one
Url
Parent Category
CVE-2017-12635 Scanner Detail
Apache CouchDB is a database application that is developed under open-source licenses, featuring document-oriented NoSQL data storage technology. The tool is utilized mainly by web developers connecting to the server using HTTP/REST APIs, JavaScript-powered web applications, and external applications.
The CVE-2017-12635 vulnerability detected in Apache CouchDB software is a result of differences in the Erlang-based JSON parser and JavaScript-based JSON parser. This is a loophole in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 which allows the submission of _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin'role, that denotes administrative users. This vulnerability provides a chance to get non-admin users access to arbitrary shell commands on the server as the database system user.
This vulnerability, when exploited, can lead to tampering with, or even loss, of sensitive data, which can be used to carry out sophisticated attacks on businesses, organizations, and even individuals. The loophole can allow unauthorized users to manipulate sensitive information that can lead to security breaches, data loss, reputation damage, or other catastrophic consequences when full admin privileges are granted to a non-admin user.
Securityforeveryone.com is a platform that provides pro features that can be employed to learn about vulnerabilities in digital assets quickly and efficiently. Using the platform, those who read this article can keep their digital assets such as databases, software, and websites secure at all times by learning about vulnerabilities, their potential impacts, and appropriate measures to take. Users can quickly determine if their digital assets are affected by Apache CouchDB vulnerabilities and protect their databases against potential attacks.
REFERENCES
- exploit-db.com: 44498
- exploit-db.com: 45019
- lists.apache.org: [dev] 20171114 Apache CouchDB CVE-2017-12635 and CVE-2017-12636
- security.gentoo.org: GLSA-201711-16
- lists.debian.org: [debian-lts-announce] 20180121 [SECURITY] [DLA 1252-1] couchdb security update
- securityfocus.com: 101868
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us