2.14. CVE-2021-38295: Apache CouchDB Privilege Escalation

12.10.2021

Affected

3.1.1 and below

Low

Vendor

The Apache Software Foundation

This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes.

CouchDB 3.2.0 and onwards adds Content-Security-Policy headers for all attachment, _show and _list requests. This breaks certain niche use-cases and there are configuration options to restore the previous behaviour for those who need it.

CouchDB defaults to the previous behaviour, but adds configuration options to turn Content-Security-Policy headers on for all affected requests.