Apache CouchDB Remote Code Execution Vulnerability (CVE-2022-24706)

Apr 29, 2022 GMT+08:00

I. Overview

Apache CouchDB has announced a remote code execution vulnerability (CVE-2022-24706) in versions earlier than Apache CouchDB 3.2.2. An attacker can access an improperly secured default installation without authenticating and gain admin privileges to execute code remotely.

Apache CouchDB is an open-source document-oriented NoSQL database. If you are an Apache CouchDB user, check your versions and implement timely security hardening.

Reference: https://docs.couchdb.org/en/stable/cve/2022-24706.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache CouchDB< 3.2.2

Secure versions:

Apache CouchDB>= 3.2.2

IV. Vulnerability Handling

1. This vulnerability has been fixed in the newly released version. If your service version falls into the affected range, upgrade it to the secure version.

https://couchdb.apache.org/

2. Use a firewall before all CouchDB installations as by the official recommendation. The full CouchDB API is available on registered port 5984 and this is the only port that needs to be exposed for a single-node installation. Open the CouchDB distribution port to trusted IP addresses.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.