CVE-2017-12635

EUVD-2017-4174

14.11.2017, 20:29

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
apache	couchdb	𝑥 < 1.7.0
apache	couchdb	2.0.0
apache	couchdb	2.0.0:rc1
apache	couchdb	2.0.0:rc2
apache	couchdb	2.0.0:rc3
apache	couchdb	2.0.0:rc4

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

couchdb

artful	ignored
bionic	dne
cosmic	dne
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	needed
zesty	ignored

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

http://www.securityfocus.com/bid/101868

https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html

https://security.gentoo.org/glsa/201711-16

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us

https://www.exploit-db.com/exploits/44498/

https://www.exploit-db.com/exploits/45019/

http://www.securityfocus.com/bid/101868

https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html

https://security.gentoo.org/glsa/201711-16

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us

https://www.exploit-db.com/exploits/44498/

https://www.exploit-db.com/exploits/45019/