Description

Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.

Remediation

Upgrade to the latest version of CouchDB

References

Remote Code Execution in CouchDB

Apache CouchDB CVE-2017-12635 and CVE-2017-12636

Related Vulnerabilities

WordPress Plugin Contact Form 7 Privilege Escalation (5.0.3)

WordPress Plugin NextGEN Gallery-WordPress Gallery Privilege Escalation (3.2.2)

WordPress Plugin PowerPack Pro for Elementor Privilege Escalation (2.10.14)

Broken access control in Confluence Server and Data Center (CVE-2023-22515)

WordPress Plugin Store Locator Plus for WordPress Privilege Escalation (5.5.14)

Severity

High

Classification

CVE-2017-12635 CWE-285 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Privilege Escalation