First published: Thu Oct 14 2021(Updated: )
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache CouchDB | <3.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-38295 is a vulnerability in Apache CouchDB that allows a malicious user to execute JavaScript code by attaching a specially crafted HTML document to a database.
The severity of CVE-2021-38295 is high, with a CVSS score of 7.3.
Apache CouchDB versions up to and excluding 3.1.2 are affected by CVE-2021-38295.
A malicious user with permission to create documents in a database can attach an HTML document containing JavaScript code. When a CouchDB admin opens this attachment, the embedded JavaScript code gets executed.
To fix CVE-2021-38295, update Apache CouchDB to version 3.1.2 or higher.