Description

Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.

Remediation

Upgrade to the latest version of CouchDB

References

Remote Code Execution in CouchDB

Apache CouchDB CVE-2017-12635 and CVE-2017-12636

Related Vulnerabilities

JIRA Security Advisory 2014-02-26

WordPress Plugin WatchTowerHQ Privilege Escalation (3.6.16)

WordPress Plugin WP GDPR Compliance Privilege Escalation (1.4.2)

WordPress Plugin WP e-Commerce-Store Exporter Privilege Escalation (1.6.6)

SAML Response without signature

Severity

High

Classification

CVE-2017-12635 CWE-285 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Privilege Escalation