|
| 1 | +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| 2 | +.. use this file except in compliance with the License. You may obtain a copy of |
| 3 | +.. the License at |
| 4 | +.. |
| 5 | +.. http://www.apache.org/licenses/LICENSE-2.0 |
| 6 | +.. |
| 7 | +.. Unless required by applicable law or agreed to in writing, software |
| 8 | +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 9 | +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 10 | +.. License for the specific language governing permissions and limitations under |
| 11 | +.. the License. |
| 12 | +
|
| 13 | +.. _cve/2020-1955: |
| 14 | + |
| 15 | +=========================================================== |
| 16 | +CVE-2020-1955: Apache CouchDB Remote Privilege Escalations |
| 17 | +=========================================================== |
| 18 | + |
| 19 | +:Date: 19.05.2020 |
| 20 | + |
| 21 | +:Affected: 3.0.0 |
| 22 | + |
| 23 | +:Severity: Medium |
| 24 | + |
| 25 | +:Vendor: The Apache Software Foundation |
| 26 | + |
| 27 | +Description |
| 28 | +=========== |
| 29 | + |
| 30 | +CouchDB version 3.0.0 shipped with a new configuration setting that |
| 31 | +governs access control to the entire database server called |
| 32 | +`require_valid_user_except_for_up`. It was meant as an extension to the |
| 33 | +long standing setting `require_valid_user`, which in turn requires that |
| 34 | +any and all requests to CouchDB will have to be made with valid |
| 35 | +credentials, effectively forbidding any anonymous requests. |
| 36 | + |
| 37 | +The new `require_valid_user_except_for_up` is an off-by-default setting |
| 38 | +that was meant to allow requiring valid credentials for all endpoints |
| 39 | +except for the `/_up` endpoint. |
| 40 | + |
| 41 | +However, the implementation of this made an error that lead to not |
| 42 | +enforcing credentials on any endpoint, when enabled. |
| 43 | + |
| 44 | +CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0 |
| 45 | +<release/3.1.0>` fix this issue. |
| 46 | + |
| 47 | +Mitigation |
| 48 | +========== |
| 49 | + |
| 50 | +Users that have not enabled `require_valid_user_except_for_up` are not |
| 51 | +affected. |
| 52 | + |
| 53 | +Users that have it enabled can either disable it again, or upgrade to |
| 54 | +CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0 |
| 55 | +<release/3.1.0>` |
| 56 | + |
| 57 | +Credit |
| 58 | +====== |
| 59 | + |
| 60 | +This issue was discovered by Stefan Klein. |
0 commit comments