Description
Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.
Remediation
Upgrade to the latest version of CouchDB
References
Related Vulnerabilities
WordPress Plugin PowerPack Pro for Elementor Privilege Escalation (2.10.14)
Joomla! 1.6/1.7/2.5 privilege escalation vulnerability
WordPress Plugin Contact Form 7 Privilege Escalation (5.0.3)
Broken access control in Confluence Server and Data Center (CVE-2023-22515)
WooCommerce Payments Authentication Bypass and Privilege Escalation