UBUNTU-CVE-2018-8007

Source
https://ubuntu.com/security/CVE-2018-8007
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-8007.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2018-8007
Related
Published
2018-07-11T13:29:00Z
Modified
2025-01-13T10:21:35Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Apache CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate their privileges to that of the operating system's user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not allowed to be modified via the HTTP API. This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases 1.7.2 or 2.1.2.

References

Affected packages

Ubuntu:Pro:16.04:LTS / couchdb

Package

Name
couchdb
Purl
pkg:deb/ubuntu/couchdb@1.6.0-0ubuntu7?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.0-0ubuntu7

Ecosystem specific

{
    "ubuntu_priority": "medium"
}