RSS   Vulnerabilities for 'Couchbase server'   RSS

2022-07-12
 
CVE-2022-33173

NVD-CWE-Other
 

 
An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS connection to determine the TLS port number, using SCRAM-SHA instead.

 
 
CVE-2022-33911

CWE-532
 

 
An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information.

 
2022-06-02
 
CVE-2021-33504

CWE-863
 

 
Couchbase Server before 7.1.0 has Incorrect Access Control.

 
2021-11-02
 
CVE-2021-37842

CWE-312
 

 
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it.

 
 
CVE-2021-42763

CWE-312
 

 
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request.

 
2021-09-29
 
CVE-2021-35943

CWE-863
 

 
Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.

 
 
CVE-2021-35944

CWE-120
 

 
Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.

 
 
CVE-2021-35945

CWE-120
 

 
Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.

 
2021-05-19
 
CVE-2021-27924

CWE-319
 

 
An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires.

 
 
CVE-2021-25644

CWE-312
 

 
An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to administrators.

 


Copyright 2024, cxsecurity.com

 

Back to Top