Description
Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.
Remediation
Upgrade to the latest version of CouchDB
References
Related Vulnerabilities
VirtueMart access control bypass
WordPress Plugin WP Support Plus Responsive Ticket System Privilege Escalation (7.1.4)
WordPress Plugin Extra User Details Privilege Escalation (0.4.2)
WordPress Plugin WP e-Commerce-Store Exporter Privilege Escalation (1.6.6)
WordPress Plugin Restaurant Reservations Privilege Escalation (1.3)