Description
Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.
Remediation
Upgrade to the latest version of CouchDB
References
Related Vulnerabilities
WordPress Plugin ProfileGrid-User Profiles, Groups and Communities Privilege Escalation (5.8.9)
WordPress Plugin WatchTowerHQ Privilege Escalation (3.6.16)
WordPress Plugin WP e-Commerce-Store Toolkit Privilege Escalation (2.0)
WordPress Plugin Slick Popup:Contact Form 7 Popup Privilege Escalation (1.7.1)