2.15. CVE-2022-24706: Apache CouchDB Remote Privilege Escalation

25.04.2022

Affected

3.2.1 and below

Severity

Vendor

The Apache Software Foundation

An attacker can access an improperly secured default installation without authenticating and gain admin privileges.

The CouchDB documentation has always made recommendations for properly securing an installation, but not all users follow the advice.

We recommend a firewall in front of all CouchDB installations. The full CouchDB api is available on registered port 5984 and this is the only port that needs to be exposed for a single-node install. Installations that do not expose the separate distribution port to external access are not vulnerable.

CouchDB and onwards will refuse to start with the former default erlang cookie value of monster. Installations that upgrade to this versions are forced to choose a different value.

In addition, all binary packages have been updated to bind epmd as well as the CouchDB distribution port to 127.0.0.1 and/or ::1 respectively.