2.2. CVE-2010-2234: Apache CouchDB Cross Site Request Forgery Attack

    21.02.2010

    Affected

    Apache CouchDB 0.8.0 to 0.11.1

    Severity

    Vendor

    The Apache Software Foundation

    Apache CouchDB versions prior to version 0.11.1 are vulnerable to (CSRF) attacks.

    All users should upgrade to CouchDB 0.11.2 or .

    Users on earlier versions should consult with upgrade notes.

    A malicious website can POST arbitrary JavaScript code to well known CouchDB installation URLs (like http://localhost:5984/) and make the browser execute the injected JavaScript in the security context of CouchDB’s admin interface Futon.

    Unrelated, but in addition the JSONP API has been turned off by default to avoid potential information leakage.

    This CSRF issue was discovered by a source that wishes to stay anonymous.