Description
Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.
Remediation
Upgrade to the latest version of CouchDB
References
Related Vulnerabilities
Broken access control in Confluence Server and Data Center (CVE-2023-22515)
Unrestricted access to Apache HugeGraph
WordPress Plugin Store Locator Plus for WordPress Privilege Escalation (5.5.14)
WordPress Plugin Malware Scanner Privilege Escalation (4.7.2)
WordPress Plugin MasterStudy LMS-for Online Courses and Education Privilege Escalation (3.3.1)