Apache CouchDB 漏洞列表

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keysfor 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behavior that if two 'roles' keys are available in the JSON, the second one will be used for authorizing the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.

Apache CouchDB 是一个开源的无缝多主同步数据库，使用直观的HTTP/JSONAPI，并为可靠性而设计。4月26日，Apache发布安全公告，公开了ApacheCouchDB中的一个远程代码执行漏洞（CVE-2022-24706）。在3.2.2 版本之前的 Apache CouchDB中，可以在不进行身份验证的情况下访问不正确的默认安装并获得管理员权限

Apache CouchDB 是一个面向文档的数据库管理系统。当CouchDB 以集群模式安装时，会开启epmd服务，并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster，若未经修改，则攻击者可利用该cookie连接epmd，在知道fqdn的情况下执行任意代码，控制服务器。