Description
Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.
Remediation
Upgrade to the latest version of CouchDB
References
Related Vulnerabilities
WordPress Plugin Product Catalog Privilege Escalation (3.8.1)
WordPress Plugin Slick Popup:Contact Form 7 Popup Privilege Escalation (1.7.1)
WordPress plugin All in One SEO Pack privilege escalation vulnerabilities
WordPress Plugin Simplr Registration Form Plus+ Privilege Escalation (2.4.3)
WordPress Plugin WP e-Commerce-Store Toolkit Privilege Escalation (2.0)