Filtered by vendor Couchbase
Subscribe
Search
Total
8 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32559 | 1 Couchbase | 1 Couchbase Server | 2023-08-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics. | |||||
| CVE-2021-35943 | 1 Couchbase | 1 Couchbase Server | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513. | |||||
| CVE-2022-32563 | 1 Couchbase | 1 Sync Gateway | 2022-06-17 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue. A workaround is to replace X.509 certificate based authentication with Username and Password authentication inside the bootstrap configuration. | |||||
| CVE-2020-9039 | 1 Couchbase | 1 Couchbase Server | 2022-01-01 | 7.5 HIGH | 9.8 CRITICAL |
| Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs. | |||||
| CVE-2019-11495 | 1 Couchbase | 1 Couchbase Server | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute code against a remote system. This has been fixed in version 6.0.0. | |||||
| CVE-2020-24719 | 1 Couchbase | 1 Couchbase Server | 2020-11-30 | 10.0 HIGH | 9.8 CRITICAL |
| Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie to attach to an Erlang node and run OS level commands on the system running the Erlang node. Affects version: 6.5.1. Fix version: 6.6.0. | |||||
| CVE-2019-11496 | 1 Couchbase | 1 Couchbase Server | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with sufficient authorization. However, users were allowed unauthenticated and unauthorized access to the "default" bucket if the properties of this bucket were edited. This has been fixed in versions 5.1.0 and 5.5.0. | |||||
| CVE-2019-9039 | 1 Couchbase | 1 Sync Gateway | 2020-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for Couchbase Mobile replication and external access to this REST endpoint has been blocked to mitigate this issue. This issue has been fixed in versions 2.5.0 and 2.1.3. | |||||