CVE-2018-15728: Code Injection
First published: Fri Aug 24 2018(Updated: )
Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase. Affects Version: 4.0.0, 4.1.2, 4.5.1, 5.0.0, 4.6.5, 5.0.1, 5.1.1, 5.5.0, 5.5.1. Fix Version: 6.0.0, 5.5.2
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Couchbase Couchbase Server |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-15728?
CVE-2018-15728 is a vulnerability in Couchbase Server that exposes the '/diag/eval' endpoint, allowing authenticated users with 'Full Admin' role to execute arbitrary Erlang code.
What is the severity of CVE-2018-15728?
CVE-2018-15728 has a severity score of 8.8 (Critical).
How can this vulnerability be exploited?
This vulnerability can be exploited by authenticated users with 'Full Admin' role sending arbitrary Erlang code to the '/diag/eval' endpoint of the Couchbase Server API.
What is the affected software for CVE-2018-15728?
The affected software for CVE-2018-15728 is Couchbase Server.
How can I fix CVE-2018-15728?
To fix CVE-2018-15728, apply the necessary patches or updates provided by Couchbase Server.
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/event
- agent/description
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/couchbase
- canonical/couchbase couchbase server