Skip to content
This repository was archived by the owner on Oct 17, 2022. It is now read-only.

Commit 392daeb

Browse files
janljanl
committed
feat: CVE 2021-38295
1 parent dd10275 commit 392daeb

File tree

1 file changed

+58
-0
lines changed

1 file changed

+58
-0
lines changed

src/cve/2021-38295.rst

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
2+
.. use this file except in compliance with the License. You may obtain a copy of
3+
.. the License at
4+
..
5+
.. http://www.apache.org/licenses/LICENSE-2.0
6+
..
7+
.. Unless required by applicable law or agreed to in writing, software
8+
.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9+
.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10+
.. License for the specific language governing permissions and limitations under
11+
.. the License.
12+
13+
.. _cve/2021-38295:
14+
15+
===========================================================
16+
CVE-2021-38295: Apache CouchDB Privilege Escalation
17+
===========================================================
18+
19+
:Date: 12.10.2021
20+
21+
:Affected: 3.1.1 and below
22+
23+
:Severity: Low
24+
25+
:Vendor: The Apache Software Foundation
26+
27+
Description
28+
===========
29+
30+
A malicious user with permission to create documents in a database is able
31+
to attach a HTML attachment to a document. If a CouchDB admin opens that
32+
attachment in a browser, e.g. via the CouchDB admin interface Fauxton,
33+
any JavaScript code embedded in that HTML attachment will be executed within
34+
the security context of that admin. A similar route is available with the
35+
already deprecated `_show` and `_list` functionality.
36+
37+
This *privilege escalation* vulnerability allows an attacker to add or remove
38+
data in any database or make configuration changes.
39+
40+
Mitigation
41+
==========
42+
43+
CouchDB :ref:`3.2.0 <release/3.2.0>` and onwards adds `Content-Security-Policy`
44+
headers for all attachment, `_show` and `_list` requests. This breaks certain
45+
niche use-cases and there are configuration options to restore the previous
46+
behaviour for those who need it.
47+
48+
CouchDB :ref:`3.1.2 <release/3.1.2>` defaults to the previous behaviour, but
49+
adds configuration options to turn `Content-Security-Policy` headers on for
50+
all affected requests.
51+
52+
Credit
53+
======
54+
55+
This issue was identified by `Cory Sabol`_ of `Secure Ideas`_.
56+
57+
.. _Secure Ideas: https://secureideas.com/
58+
.. _Cory Sabol: mailto:[email protected]

0 commit comments

Comments
 (0)