What is CVE-2021-38295?

CVE-2021-38295 is a vulnerability in Apache CouchDB that allows a malicious user to execute JavaScript code by attaching a specially crafted HTML document to a database.

What is the severity of CVE-2021-38295?

The severity of CVE-2021-38295 is high, with a CVSS score of 7.3.

Which software is affected by CVE-2021-38295?

Apache CouchDB versions up to and excluding 3.1.2 are affected by CVE-2021-38295.

How does CVE-2021-38295 exploit work?

A malicious user with permission to create documents in a database can attach an HTML document containing JavaScript code. When a CouchDB admin opens this attachment, the embedded JavaScript code gets executed.

How can I fix CVE-2021-38295?

To fix CVE-2021-38295, update Apache CouchDB to version 3.1.2 or higher.

Vulnerability/
CVE-2021-38295

high

7.8

CWE

79 20

14/10/2021

4/8/2024

CVE-2021-38295: Privilege escalation vulnerability when using HTML attachments

First published: Thu Oct 14 2021(Updated: )

Apache CouchDB could allow a remote attacker to gain elevated privileges on the system, caused by improper input validation. By persuading a victim to open specially-crafted content, an authenticated attacker could exploit this vulnerability to gain elevated privileges to add or remove data in any database or make configuration changes.

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache CouchDB	<3.1.2
IBM Planning Analytics Local - IBM Planning Analytics Workspace	<=2.1
IBM Planning Analytics Local - IBM Planning Analytics Workspace	<=2.0

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7151122

Frequently Asked Questions

What is CVE-2021-38295?
CVE-2021-38295 is a vulnerability in Apache CouchDB that allows a malicious user to execute JavaScript code by attaching a specially crafted HTML document to a database.
What is the severity of CVE-2021-38295?
The severity of CVE-2021-38295 is high, with a CVSS score of 7.3.
Which software is affected by CVE-2021-38295?
Apache CouchDB versions up to and excluding 3.1.2 are affected by CVE-2021-38295.
How does CVE-2021-38295 exploit work?
A malicious user with permission to create documents in a database can attach an HTML document containing JavaScript code. When a CouchDB admin opens this attachment, the embedded JavaScript code gets executed.
How can I fix CVE-2021-38295?
To fix CVE-2021-38295, update Apache CouchDB to version 3.1.2 or higher.

collector/nvd-api
collector/nvd-index
agent/author
agent/type
agent/severity
agent/references
agent/weakness
agent/description
collector/ibm-support
source/IBM
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/tags
agent/first-publish-date
agent/event
vendor/apache
canonical/apache couchdb
vendor/ibm
canonical/ibm planning analytics local - ibm planning analytics workspace
version/ibm planning analytics local - ibm planning analytics workspace/2.1
version/ibm planning analytics local - ibm planning analytics workspace/2.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.