CVE-2018-8007
moderate-risk
Published 2018-07-11
Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2.
Do I need to act?
!
18.2% chance of exploitation in next 30 days
EPSS score — higher than 82% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (18)
Third Party Advisory
http://www.securityfocus.com/bid/104741
Third Party Advisory
https://blog.couchdb.org/2018/07/10/cve-2018-8007/
Third Party Advisory
https://security.gentoo.org/glsa/201812-06
Third Party Advisory
http://www.securityfocus.com/bid/104741
Third Party Advisory
https://blog.couchdb.org/2018/07/10/cve-2018-8007/
Third Party Advisory
https://security.gentoo.org/glsa/201812-06
44
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
13/34 · Low
Exposure
5/34 · Minimal