Description

Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.

Remediation

Upgrade to the latest version of CouchDB

References

Remote Code Execution in CouchDB

Apache CouchDB CVE-2017-12635 and CVE-2017-12636

Related Vulnerabilities

JIRA Security Advisory 2012-08-28

WordPress Plugin Malware Scanner Privilege Escalation (4.7.2)

WordPress Plugin WP e-Commerce-Store Exporter Privilege Escalation (1.6.6)

WordPress Plugin WPGateway Privilege Escalation (3.5)

Improper Authorization in Confluence Server and Data Center (CVE-2023-22518)

Severity

High

Classification

CVE-2017-12635 CWE-285 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Privilege Escalation