What is the vulnerability ID of this issue?

The vulnerability ID is CVE-2022-32563.

What is the severity of CVE-2022-32563?

The severity of CVE-2022-32563 is critical (9.8).

What is the affected software?

The affected software is Couchbase Sync Gateway 3.x before 3.0.2.

How can I fix the vulnerability?

To fix the vulnerability, upgrade to Couchbase Sync Gateway 3.0.2 or later.

Vulnerability/
CVE-2022-32563

critical

9.8

CWE

295

10/6/2022

11/6/2022

13/9/2024

CVE-2022-32563

Q: How does the vulnerability occur?

The vulnerability occurs when admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server.

First published: Fri Jun 10 2022(Updated: )

An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue. A workaround is to replace X.509 certificate based authentication with Username and Password authentication inside the bootstrap configuration.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Couchbase Sync Gateway	>=3.0.0<3.0.2
pip/couchbase	>=3.0.0<3.0.2	3.0.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID of this issue?
The vulnerability ID is CVE-2022-32563.
What is the severity of CVE-2022-32563?
The severity of CVE-2022-32563 is critical (9.8).
What is the affected software?
The affected software is Couchbase Sync Gateway 3.x before 3.0.2.
How does the vulnerability occur?
The vulnerability occurs when admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server.
How can I fix the vulnerability?
To fix the vulnerability, upgrade to Couchbase Sync Gateway 3.0.2 or later.

collector/nvd-index
agent/type
agent/weakness
agent/severity
agent/references
agent/author
agent/description
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
agent/softwarecombine
collector/github-advisory
source/GitHub
alias/GHSA-9266-j9v3-q4j5
alias/CVE-2022-32563
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/tags
agent/first-publish-date
agent/event
collector/github-advisory-latest
vendor/couchbase
canonical/couchbase sync gateway
version/couchbase sync gateway/3.0.0
package-manager/pip

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.