Vulnerability-Lookup

CVE-2022-24706 (GCVE-0-2022-24706)

Vulnerability from cvelistv5 – Published: 2022-04-26 00:00 – Updated: 2025-10-21 23:15

Title

Remote Code Execution Vulnerability in Packaging

Summary

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

Severity ?

No CVSS data available.

CWE

CWE-1188 - Insecure Default Initialization of Resource

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/w24wo0h8nlctfps65…
	https://docs.couchdb.org/en/3.2.2/setup/cluster.html
	http://www.openwall.com/lists/oss-security/2022/04/26/1	mailing-list
	http://www.openwall.com/lists/oss-security/2022/05/09/1	mailing-list
	http://www.openwall.com/lists/oss-security/2022/05/09/3	mailing-list
	http://www.openwall.com/lists/oss-security/2022/05/09/4	mailing-list
	http://www.openwall.com/lists/oss-security/2022/05/09/2	mailing-list
	http://packetstormsecurity.com/files/167032/Apach…
	https://medium.com/%40_sadshade/couchdb-erlang-an…
	http://packetstormsecurity.com/files/169702/Apach…

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache CouchDB	Affected: Apache CouchDB , ≤ 3.2.1 (custom)

Credits

The Apache CouchDB Team would like to thank Alex Vandiver <alexmv@zulip.com> for the report of this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.213Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html"
          },
          {
            "name": "[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1"
          },
          {
            "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1"
          },
          {
            "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3"
          },
          {
            "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4"
          },
          {
            "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-24706",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-29T16:14:35.670152Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-08-25",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:40.735Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-08-25T00:00:00.000Z",
            "value": "CVE-2022-24706 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache CouchDB",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.2.1",
              "status": "affected",
              "version": "Apache CouchDB",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The Apache CouchDB Team would like to thank Alex Vandiver \u003calexmv@zulip.com\u003e for the report of this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "critical"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188 Insecure Default Initialization of Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-02T00:00:00.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00"
        },
        {
          "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html"
        },
        {
          "name": "[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1"
        },
        {
          "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1"
        },
        {
          "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3"
        },
        {
          "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4"
        },
        {
          "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2"
        },
        {
          "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html"
        },
        {
          "url": "https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
        },
        {
          "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution Vulnerability in Packaging",
      "workarounds": [
        {
          "lang": "en",
          "value": "CouchDB 3.2.2 and onwards will refuse to start with the former default\nErlang cookie value of `monster`. Installations that upgrade to this\nversions are forced to choose a different value.\n\nIn addition, all binary packages have been updated to bind `epmd` as\nwell as the CouchDB distribution port to `127.0.0.1` and/or `::1`\nrespectively."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-24706",
    "datePublished": "2022-04-26T00:00:00.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:40.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2022-24706",
      "cwes": "[\"CWE-1188\"]",
      "dateAdded": "2022-08-25",
      "dueDate": "2022-09-15",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00;  https://nvd.nist.gov/vuln/detail/CVE-2022-24706",
      "product": "CouchDB",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges.",
      "vendorProject": "Apache",
      "vulnerabilityName": "Apache CouchDB Insecure Default Initialization of Resource Vulnerability"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://docs.couchdb.org/en/3.2.2/setup/cluster.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/04/26/1\", \"name\": \"[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/09/1\", \"name\": \"[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/09/3\", \"name\": \"[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/09/4\", \"name\": \"[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/09/2\", \"name\": \"[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:20:50.213Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24706\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-29T16:14:35.670152Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-08-25\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-08-25T00:00:00.000Z\", \"value\": \"CVE-2022-24706 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-29T16:14:24.292Z\"}}], \"cna\": {\"title\": \"Remote Code Execution Vulnerability in Packaging\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"The Apache CouchDB Team would like to thank Alex Vandiver \u003calexmv@zulip.com\u003e for the report of this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"unknown\", \"content\": {\"other\": \"critical\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache CouchDB\", \"versions\": [{\"status\": \"affected\", \"version\": \"Apache CouchDB\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.2.1\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00\"}, {\"url\": \"https://docs.couchdb.org/en/3.2.2/setup/cluster.html\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/04/26/1\", \"name\": \"[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/09/1\", \"name\": \"[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/09/3\", \"name\": \"[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/09/4\", \"name\": \"[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/09/2\", \"name\": \"[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html\"}, {\"url\": \"https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd\"}, {\"url\": \"http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"CouchDB 3.2.2 and onwards will refuse to start with the former default\\nErlang cookie value of `monster`. Installations that upgrade to this\\nversions are forced to choose a different value.\\n\\nIn addition, all binary packages have been updated to bind `epmd` as\\nwell as the CouchDB distribution port to `127.0.0.1` and/or `::1`\\nrespectively.\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1188\", \"description\": \"CWE-1188 Insecure Default Initialization of Resource\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2022-11-02T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-24706\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:15:40.735Z\", \"dateReserved\": \"2022-02-10T00:00:00.000Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2022-04-26T00:00:00.000Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2022-60929

Vulnerability from cnvd - Published: 2022-09-20

Title

Apache CouchDB存在命令执行漏洞

Description

Apache CouchDB是美国阿帕奇（Apache）基金会的使用Erlang开发的一套面向文档的数据库系统。 Apache CouchDB存在命令执行漏洞，攻击者可利用该漏洞获取管理员权限。

Severity

高

Patch Name

Apache CouchDB存在命令执行漏洞的补丁

Patch Description

Apache CouchDB是美国阿帕奇（Apache）基金会的使用Erlang开发的一套面向文档的数据库系统。 Apache CouchDB存在命令执行漏洞，攻击者可利用该漏洞获取管理员权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://apache.org/

Impacted products

Name
Apache CouchDB <3.2.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24706"
    }
  },
  "description": "Apache CouchDB\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4f7f\u7528Erlang\u5f00\u53d1\u7684\u4e00\u5957\u9762\u5411\u6587\u6863\u7684\u6570\u636e\u5e93\u7cfb\u7edf\u3002\n\nApache CouchDB\u5b58\u5728\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7ba1\u7406\u5458\u6743\u9650\u3002",
  "discovererName": "\u674e\u517b\u9c7c",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://apache.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-60929",
  "openTime": "2022-09-20",
  "patchDescription": "Apache CouchDB\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4f7f\u7528Erlang\u5f00\u53d1\u7684\u4e00\u5957\u9762\u5411\u6587\u6863\u7684\u6570\u636e\u5e93\u7cfb\u7edf\u3002\r\n\r\nApache CouchDB\u5b58\u5728\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7ba1\u7406\u5458\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache CouchDB\u5b58\u5728\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache CouchDB \u003c3.2.2"
  },
  "serverity": "\u9ad8",
  "submitTime": "2022-08-06",
  "title": "Apache CouchDB\u5b58\u5728\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e"
}

CNVD-2022-41634

Vulnerability from cnvd - Published: 2022-05-28

Title

Apache CouchDB访问控制错误漏洞

Description

Apache CouchDB是美国阿帕奇（Apache）基金会的使用Erlang开发的一套面向文档的数据库系统。 Apache CouchDB 3.2.2 之前版本存在访问控制错误漏洞，该漏洞源于网络系统或产品未正确限制来自未授权角色的资源访问。未经身份验证的攻击者可利用该漏洞获得管理员权限。

Severity

高

Patch Name

Apache CouchDB访问控制错误漏洞的补丁

Patch Description

Apache CouchDB是美国阿帕奇（Apache）基金会的使用Erlang开发的一套面向文档的数据库系统。 Apache CouchDB 3.2.2 之前版本存在访问控制错误漏洞，该漏洞源于网络系统或产品未正确限制来自未授权角色的资源访问。未经身份验证的攻击者可利用该漏洞获得管理员权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-24706

Impacted products

Name
Apache CouchDB <3.2.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24706",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-24706"
    }
  },
  "description": "Apache CouchDB\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4f7f\u7528Erlang\u5f00\u53d1\u7684\u4e00\u5957\u9762\u5411\u6587\u6863\u7684\u6570\u636e\u5e93\u7cfb\u7edf\u3002\n\nApache CouchDB 3.2.2 \u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u9650\u5236\u6765\u81ea\u672a\u6388\u6743\u89d2\u8272\u7684\u8d44\u6e90\u8bbf\u95ee\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u5f97\u7ba1\u7406\u5458\u6743\u9650\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-41634",
  "openTime": "2022-05-28",
  "patchDescription": "Apache CouchDB\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4f7f\u7528Erlang\u5f00\u53d1\u7684\u4e00\u5957\u9762\u5411\u6587\u6863\u7684\u6570\u636e\u5e93\u7cfb\u7edf\u3002\r\n\r\nApache CouchDB 3.2.2 \u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u9650\u5236\u6765\u81ea\u672a\u6388\u6743\u89d2\u8272\u7684\u8d44\u6e90\u8bbf\u95ee\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u5f97\u7ba1\u7406\u5458\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache CouchDB\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache CouchDB \u003c3.2.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-24706",
  "serverity": "\u9ad8",
  "submitTime": "2022-04-28",
  "title": "Apache CouchDB\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

GSD-2022-24706

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-24706

Aliases

CVE-2022-24706

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24706",
    "description": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.",
    "id": "GSD-2022-24706",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-24706.html",
      "https://security.archlinux.org/CVE-2022-24706",
      "https://packetstormsecurity.com/files/cve/CVE-2022-24706",
      "https://advisories.mageia.org/CVE-2022-24706.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24706"
      ],
      "details": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.",
      "id": "GSD-2022-24706",
      "modified": "2023-12-13T01:19:43.281227Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-24706",
        "STATE": "PUBLIC",
        "TITLE": "Remote Code Execution Vulnerability in Packaging"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache CouchDB",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "Apache CouchDB",
                          "version_value": "3.2.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "The Apache CouchDB Team would like to thank Alex Vandiver \u003calexmv@zulip.com\u003e for the report of this issue."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {
          "other": "critical"
        }
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-1188 Insecure Default Initialization of Resource"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00"
          },
          {
            "name": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html",
            "refsource": "MISC",
            "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html"
          },
          {
            "name": "[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1"
          },
          {
            "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1"
          },
          {
            "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3"
          },
          {
            "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4"
          },
          {
            "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2"
          },
          {
            "name": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html"
          },
          {
            "name": "https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd",
            "refsource": "MISC",
            "url": "https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
          },
          {
            "name": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      },
      "work_around": [
        {
          "lang": "eng",
          "value": "CouchDB 3.2.2 and onwards will refuse to start with the former default\nErlang cookie value of `monster`. Installations that upgrade to this\nversions are forced to choose a different value.\n\nIn addition, all binary packages have been updated to bind `epmd` as\nwell as the CouchDB distribution port to `127.0.0.1` and/or `::1`\nrespectively."
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.2.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-24706"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-1188"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00"
            },
            {
              "name": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html"
            },
            {
              "name": "[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1"
            },
            {
              "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4"
            },
            {
              "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1"
            },
            {
              "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2"
            },
            {
              "name": "[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3"
            },
            {
              "name": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html"
            },
            {
              "name": "https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
            },
            {
              "name": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-11-21T19:28Z",
      "publishedDate": "2022-04-26T10:15Z"
    }
  }
}

bit-couchdb-2022-24706

Vulnerability from bitnami_vulndb

Published

2024-03-06 10:51

Modified

2025-10-22 09:08

Summary

Remote Code Execution Vulnerability in Packaging

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "couchdb",
        "purl": "pkg:bitnami/couchdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24706"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*"
    ],
    "severity": "Critical"
  },
  "details": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.",
  "id": "BIT-couchdb-2022-24706",
  "modified": "2025-10-22T09:08:25.162Z",
  "published": "2024-03-06T10:51:24.067Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4"
    },
    {
      "type": "WEB",
      "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24706"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Remote Code Execution Vulnerability in Packaging"
}

CVE-2022-24706

Vulnerability from fstec - Published: 26.04.2022

Title

Уязвимость системы управления базами данных CouchDB, связанная с небезопасной инициализацией ресурса, позволяющая нарушителю повысить свои привилегии

Description

Уязвимость системы управления базами данных CouchDB связана с небезопасной инициализацией ресурса. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, повысить свои привилегии

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Apache Software Foundation

Software Name

CouchDB

Software Version

до 3.2.2 (CouchDB)

Possible Mitigations

Использование рекомендаций производителя: https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00

Reference

http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html http://www.openwall.com/lists/oss-security/2022/04/26/1 http://www.openwall.com/lists/oss-security/2022/05/09/1 http://www.openwall.com/lists/oss-security/2022/05/09/2 http://www.openwall.com/lists/oss-security/2022/05/09/3 http://www.openwall.com/lists/oss-security/2022/05/09/4 https://docs.couchdb.org/en/3.2.2/setup/cluster.html https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv

CWE

CWE-1188

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Apache Software Foundation",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 3.2.2 (CouchDB)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "26.04.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "20.05.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-03030",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-24706",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "CouchDB",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 CouchDB, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0439 \u0438\u043d\u0438\u0446\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u0440\u0435\u0441\u0443\u0440\u0441\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0430\u044f \u0438\u043d\u0438\u0446\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f (CWE-1188)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 CouchDB \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0439 \u0438\u043d\u0438\u0446\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u0440\u0435\u0441\u0443\u0440\u0441\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html\nhttp://www.openwall.com/lists/oss-security/2022/04/26/1\nhttp://www.openwall.com/lists/oss-security/2022/05/09/1\nhttp://www.openwall.com/lists/oss-security/2022/05/09/2\nhttp://www.openwall.com/lists/oss-security/2022/05/09/3\nhttp://www.openwall.com/lists/oss-security/2022/05/09/4\nhttps://docs.couchdb.org/en/3.2.2/setup/cluster.html\nhttps://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u041e \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-1188",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

FKIE_CVE-2022-24706

Vulnerability from fkie_nvd - Published: 2022-04-26 10:15 - Updated: 2025-10-28 13:35

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://www.openwall.com/lists/oss-security/2022/04/26/1	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2022/05/09/1	Mailing List, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2022/05/09/2	Mailing List, Patch, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2022/05/09/3	Mailing List, Patch, Third Party Advisory
security@apache.org	http://www.openwall.com/lists/oss-security/2022/05/09/4	Mailing List, Patch, Third Party Advisory
security@apache.org	https://docs.couchdb.org/en/3.2.2/setup/cluster.html	Broken Link, Product
security@apache.org	https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00	Mailing List, Vendor Advisory
security@apache.org	https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/04/26/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/05/09/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/05/09/2	Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/05/09/3	Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/05/09/4	Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.couchdb.org/en/3.2.2/setup/cluster.html	Broken Link, Product
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd	Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706	US Government Resource

Impacted products

	Vendor	Product	Version
	apache	couchdb	*

JSON

To clipboard

{
  "cisaActionDue": "2022-09-15",
  "cisaExploitAdd": "2022-08-25",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Apache CouchDB Insecure Default Initialization of Resource Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C49414F4-5081-4B1E-BBAC-929CE3A75A72",
              "versionEndExcluding": "3.2.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations."
    },
    {
      "lang": "es",
      "value": "En Apache CouchDB versiones anteriores a 3.2.2, un atacante puede acceder a una instalaci\u00f3n por defecto asegurada inapropiadamente sin autenticarse y alcanzar privilegios de administrador. La documentaci\u00f3n de CouchDB siempre ha hecho recomendaciones para asegurar apropiadamente una instalaci\u00f3n, incluyendo la recomendaci\u00f3n de usar un firewall delante de todas las instalaciones de CouchDB"
    }
  ],
  "id": "CVE-2022-24706",
  "lastModified": "2025-10-28T13:35:43.997",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-04-26T10:15:35.083",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Broken Link",
        "Product"
      ],
      "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Product"
      ],
      "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1188"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1188"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-VXC9-8M8H-9CP6

Vulnerability from github – Published: 2022-04-27 00:00 – Updated: 2025-10-22 00:32

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-24706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-26T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.",
  "id": "GHSA-vxc9-8m8h-9cp6",
  "modified": "2025-10-22T00:32:32Z",
  "published": "2022-04-27T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24706"
    },
    {
      "type": "WEB",
      "url": "https://docs.couchdb.org/en/3.2.2/setup/cluster.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/04/26/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-24706 (GCVE-0-2022-24706)

CNVD-2022-60929

CNVD-2022-41634

GSD-2022-24706

bit-couchdb-2022-24706

Vulnerability from bitnami_vulndb

CVE-2022-24706

FKIE_CVE-2022-24706

GHSA-VXC9-8M8H-9CP6

Tags

Sightings

Nomenclature