Description

Due to differences in CouchDB's Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with 'CVE-2017-12636' (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user.

Remediation

Upgrade to the latest version of CouchDB

References

Remote Code Execution in CouchDB

Apache CouchDB CVE-2017-12635 and CVE-2017-12636

Related Vulnerabilities

WordPress Plugin Jigoshop-Store Toolkit Privilege Escalation (1.3.7)

WordPress Plugin WP Data Access Privilege Escalation (5.3.7)

VirtueMart access control bypass

WordPress Plugin UpdraftPlus WordPress Backup Privilege Escalation (1.23.2)

WordPress Plugin UserPro-Community and User Profile Privilege Escalation (4.9.20)

Severity

High

Classification

CVE-2017-12635 CWE-285 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Privilege Escalation