CVE-2022-24706: Apache CouchDB Insecure Default Initialization of Resource Vulnerability
First published: Tue Apr 26 2022(Updated: )
Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache CouchDB | <3.2.2 | |
| IBM Planning Analytics Local - IBM Planning Analytics Workspace | <=2.1 | |
| IBM Planning Analytics Local - IBM Planning Analytics Workspace | <=2.0 | |
| Apache CouchDB | ||
| <3.2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2022/04/26/1
- http://www.openwall.com/lists/oss-security/2022/05/09/1
- http://www.openwall.com/lists/oss-security/2022/05/09/2
- http://www.openwall.com/lists/oss-security/2022/05/09/3
- http://www.openwall.com/lists/oss-security/2022/05/09/4
- https://docs.couchdb.org/en/3.2.2/setup/cluster.html
- https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
- https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd
- https://exchange.xforce.ibmcloud.com/vulnerabilities/225177
- https://www.ibm.com/support/pages/node/7151122 (Advisory)
- https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd
- https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00;
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706
Frequently Asked Questions
What is CVE-2022-24706?
CVE-2022-24706 is a vulnerability in Apache CouchDB that allows an attacker to access an improperly secured default installation without authenticating and gain admin privileges.
How severe is CVE-2022-24706?
CVE-2022-24706 has a severity rating of 9.8 (Critical).
How can an attacker exploit CVE-2022-24706?
CVE-2022-24706 can be exploited by an attacker to gain admin privileges in an improperly secured default installation of Apache CouchDB, without the need for authentication.
What are the affected software versions of CVE-2022-24706?
The affected software versions of CVE-2022-24706 are Apache CouchDB up to version 3.2.2.
How can I mitigate CVE-2022-24706?
To mitigate CVE-2022-24706, it is recommended to properly secure your Apache CouchDB installation by following the CouchDB documentation's recommendations, such as using a firewall.
- collector/nvd-index
- agent/type
- agent/title
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/references
- agent/tags
- collector/nvd-cve
- vendor/apache
- canonical/apache couchdb
- vendor/ibm
- canonical/ibm planning analytics local - ibm planning analytics workspace
- version/ibm planning analytics local - ibm planning analytics workspace/2.1
- version/ibm planning analytics local - ibm planning analytics workspace/2.0