RSS   Vulnerabilities for 'Couchbase server'   RSS

2019-09-10
 
CVE-2019-11497

CWE-295
 

 
An issue was discovered in Couchbase Server 5.0.0. When creating a new remote cluster reference in Couchbase for XDCR, an invalid certificate is accepted. (The correct behavior is to validate the certificate against the remote cluster.)

 
 
CVE-2019-11496

CWE-287
 

 
An issue was discovered in Couchbase Server 5.0.0. Editing bucket settings resets credentials, and leads to authorization without credentials.

 
 
CVE-2019-11495

CWE-94
 

 
Couchbase Server 5.1.1 generates insufficiently random numbers. The product hosts many network services by default. One of those services is an epmd service, which allows for node integration between Erlang instances. This service is protected by a single 16-character password. Unfortunately, this password is not generated securely due to an insufficient random seed, and can be reasonably brute-forced by an attacker to execute code against a remote system.

 
 
CVE-2019-11467

CWE-400
 

 
An issue was discovered in Couchbase Server 4.6.3 and 5.5.0. A JSON document to be stored with more than 3000 '\t' characters can crash the indexing system.

 
 
CVE-2019-11466

CWE-287
 

 
An issue was discovered in Couchbase Server 5.5.0 and 6.0.0. The Eventing debug endpoint mishandles authentication and audit.

 
 
CVE-2019-11465

CWE-203
 

 
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted.

 
 
CVE-2019-11464

CWE-79
 

 
An issue was discovered in Couchbase Server 5.1.2 and 5.5.0. The http server on port 8092 lacks an X-XSS protection header.

 
2018-08-24
 
CVE-2018-15728

CWE-94
 

 
An issue was discovered in Couchbase Server. Authenticated users can send arbitrary Erlang code to the 'diag/eval' endpoint of the REST API (available by default on TCP/8091 and/or TCP/18091). The executed code in the underlying operating system will run with the privileges of the user running Couchbase server.

 

 >>> Vendor: Couchbase 3 Products
Server
Sync gateway
Couchbase server


Copyright 2019, cxsecurity.com

 

Back to Top