我的书签
添加书签
移除书签17.9. CVE-2017-12636: Apache CouchDB Remote Code Execution
| Date: |
|---|
| 14.11.2017 |
| Affected: |
| ——- |
| All Versions of Apache CouchDB |
| Severity: |
| ——- |
| Critical |
| Vendor: |
| ——- |
| The Apache Software Foundation |
17.9.1. Description
CouchDB administrative users can configure the database server via HTTP(S). Someof the configuration options include paths for operating system-level binariesthat are subsequently launched by CouchDB. This allows a CouchDB admin user toexecute arbitrary shell commands as the CouchDB user, including downloadingand executing scripts from the public internet.
17.9.2. Mitigation
All users should upgrade to CouchDB 1.7.1 or2.1.1.
Upgrades from previous 1.x and 2.x versions in the same series should beseamless.
Users on earlier versions, or users upgrading from 1.x to 2.x should consultwith upgrade notes.
17.9.3. Credit
This issue was discovered by Joan Touzet of the CouchDB Security team duringthe investigation of CVE-2017-12635.
