CVE-2023-26268

low-risk

Published 2023-05-02

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.4/10 Medium

NETWORK / HIGH complexity

Affected Products (2)

Couchdb

Cloudant

Affected Vendors

Ibm Apache

References (6)

Vendor Advisory https://docs.couchdb.org/en/stable/cve/2023-26268.html

Mailing List https://lists.apache.org/thread/ldkqs0nhpmho26bdxf4fon7w75hsq5gl

Mailing List https://lists.apache.org/thread/r2wvjfysg3d92lhhjd1qh3wfr8mlp0pp

Vendor Advisory https://docs.couchdb.org/en/stable/cve/2023-26268.html

Mailing List https://lists.apache.org/thread/ldkqs0nhpmho26bdxf4fon7w75hsq5gl

Mailing List https://lists.apache.org/thread/r2wvjfysg3d92lhhjd1qh3wfr8mlp0pp

/ 100

low-risk

Severity 14/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 7/34 · Low