SUSE-SU-2018:2578-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2018/suse-su-20182578-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:2578-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:2578-1
Related
Published
2018-08-31T12:16:30Z
Modified
2018-08-31T12:16:30Z
Summary
Security update for couchdb
Details

This update for couchdb to 1.7.2 fixes the following security issues:

  • CVE-2018-8007: Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it was possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API (bsc#1100973).
  • CVE-2017-12636: CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allowed an admin user in Apache CouchDB to execute arbitrary shell commands as the CouchDB user (bsc#1068386).
References

Affected packages

SUSE:OpenStack Cloud 7 / couchdb

Package

Name
couchdb
Purl
pkg:rpm/suse/couchdb&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.2-2.8.2

Ecosystem specific 

{
    "binaries": [
        {
            "couchdb": "1.7.2-2.8.2"
        }
    ]
}

SUSE:Enterprise Storage 4 / couchdb

Package

Name
couchdb
Purl
pkg:rpm/suse/couchdb&distro=SUSE%20Enterprise%20Storage%204

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.2-2.8.2

Ecosystem specific 

{
    "binaries": [
        {
            "couchdb": "1.7.2-2.8.2"
        }
    ]
}