CVE-2020-24719: OS Command Injection
First published: Thu Nov 12 2020(Updated: )
Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie to attach to an Erlang node and run OS level commands on the system running the Erlang node. Affects version: 6.5.1. Fix version: 6.6.0.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Couchbase Couchbase Server | >=6.5.1<6.6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2020-24719?
CVE-2020-24719 is a vulnerability that exposes the Erlang cookie and could lead to remote command execution (RCE) attacks on Couchbase Server.
How does CVE-2020-24719 work?
CVE-2020-24719 occurs when the Erlang cookie, which is used for communication between Erlang nodes, is exposed in log files, allowing attackers to use it to attach to an Erlang node and execute remote commands.
What is the severity of CVE-2020-24719?
CVE-2020-24719 has a severity rating of 9.8, which is classified as critical.
What software is affected by CVE-2020-24719?
Couchbase Server versions between 6.5.1 and 6.6.0 are affected by CVE-2020-24719.
How can I fix CVE-2020-24719?
To fix CVE-2020-24719, it is recommended to update Couchbase Server to a version that no longer exposes the Erlang cookie in log files.
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/event
- agent/weakness
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/couchbase
- canonical/couchbase couchbase server
- version/couchbase couchbase server/6.5.1