Description
Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.
Remediation
Upgrade to the latest version of CouchDB
References
Related Vulnerabilities
WordPress Plugin Restaurant Reservations Privilege Escalation (1.3)
JIRA Security Advisory 2012-08-28
WordPress Plugin WooCommerce Privilege Escalation (3.5.0)
WordPress Plugin WP Support Plus Responsive Ticket System Privilege Escalation (7.1.4)
VMware directory traversal and privilege escalation vulnerabilities