Description

Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.

Remediation

Upgrade to the latest version of CouchDB

References

Remote Code Execution in CouchDB

Apache CouchDB CVE-2017-12635 and CVE-2017-12636

Related Vulnerabilities

BuddyPress REST API Privilege Escalation

WordPress Plugin Chat-Support Board-WordPress Chat Privilege Escalation (3.3.8)

WordPress Plugin WooCommerce Privilege Escalation (3.5.0)

WordPress Plugin Login as User or Customer Privilege Escalation (3.2)

WordPress Plugin NextGEN Gallery-WordPress Gallery Privilege Escalation (3.2.2)

Severity

High

Classification

CVE-2017-12635 CWE-285 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Privilege Escalation