2.9. CVE-2017-12636: Apache CouchDB Remote Code Execution
Date
14.11.2017
Affected
All Versions of Apache CouchDB
Severity
Critical
Vendor
The Apache Software Foundation
2.9.1. Description
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
2.9.2. Mitigation
All users should upgrade to CouchDB 1.7.1 or 2.1.1.
Upgrades from previous 1.x and 2.x versions in the same series should be seamless.
Users on earlier versions, or users upgrading from 1.x to 2.x should consult with upgrade notes.
2.9.3. Credit
This issue was discovered by Joan Touzet of the CouchDB Security team during the investigation of CVE-2017-12635.