17. Security Issues Information

• 17.1. CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability
• 17.3. CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
• 17.6. CVE-2012-5650: DOM based Cross-Site Scripting via Futon UI
• 17.8. CVE-2017-12635: Apache CouchDB Remote Privilege Escalation
• 17.11. CVE-2018-8007: Apache CouchDB Remote Code Execution

18. Reporting New Security Problems with Apache CouchDB

We strongly encourage folks to report such problems to our private securitymailing list first, before disclosing them in a public forum.

Please note that the security mailing list should only be used for reportingundisclosed security vulnerabilities in Apache CouchDB and managing theprocess of fixing such vulnerabilities. We cannot accept regular bug reportsor other queries at this address. All mail sent to this address that does notrelate to an undisclosed security problem in the Apache CouchDB source codewill be ignored.

Questions about:

• How to configure CouchDB securely
• If a vulnerability applies to your particular application
• Availability of patches and/or new releases
  should be address to the . Please see the mailinglists page for details of how to subscribe.

The private security mailing address is:

Note that all networked servers are subject to denial of service attacks,and we cannot promise magic workarounds to generic problems (such as a clientstreaming lots of data to your server, or re-requesting the same URLrepeatedly). In general our philosophy is to avoid any attacks which cancause the server to consume resources in a non-linear relationship to thesize of inputs.