Apache CouchDB Arbitrary Command Execution - exploit.company

vendor:

CouchDB

by:

Max Justicz, Joan Touzet, Green-m

7.2

CVSS

HIGH

Arbitrary Command Execution

N/A

CWE

Product Name: CouchDB

Affected Version From: 1.6.1

Affected Version To: 2.0.0

Patch Exists: YES

Related CWE: CVE-2017-12635, CVE-2017-12636

CPE: N/A

Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-12635/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-12635/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2018-11769/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2018-8007/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2018-11769/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-12635/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-12636/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-12636/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2018-8007/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-12635/

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=104697, https://www.infosecmatter.com/nessus-plugin-library/?id=111018, https://www.infosecmatter.com/nessus-plugin-library/?id=105943, https://www.infosecmatter.com/nessus-plugin-library/?id=106208, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/apache_couchdb_cmd_exec, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/couchdb/couchdb_enum, https://www.infosecmatter.com/list-of-metasploit-linux-exploits-detailed-spreadsheet/, https://www.infosecmatter.com/metasploit-auxiliary-modules-detailed-spreadsheet/, https://www.infosecmatter.com/nessus-plugin-library/?id=104697, https://www.infosecmatter.com/nessus-plugin-library/?id=105943, https://www.infosecmatter.com/nessus-plugin-library/?id=111018, https://www.infosecmatter.com/nessus-plugin-library/?id=106208, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/apache_couchdb_cmd_exec, https://www.infosecmatter.com/nessus-plugin-library/?id=97419, https://www.infosecmatter.com/nessus-plugin-library/?id=99128, https://www.infosecmatter.com/list-of-metasploit-linux-exploits-detailed-spreadsheet/, https://www.infosecmatter.com/nessus-plugin-library/?id=97191

Platforms Tested: Linux, Windows, Mac

2017

Apache CouchDB Arbitrary Command Execution

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

Mitigation:

Upgrade to Apache CouchDB 1.7.0 or 2.1.1 or later

Source

Exploit-DB raw data: