CVE-2023-26268 MEDIUM

CVE-2023-26268: Apache CouchDB, IBM Cloudant: Information sharing via couchjs processes

Vendor Apache Software Foundation

Product Apache CouchDB

Weakness CWE-200 · Info exposure

Published May 2, 2023

Last update October 15, 2024

View on NVD All CVEs

CVSS base score

4.4/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3). Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.

Key dates

Disclosure timeline

May 2, 2023 CVE published

October 15, 2024 Record updated

Identifiers

CVE CVE-2023-26268

CWE CWE-200

CVSS 4.4 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache CouchDB

Affected ≤ 3.3.1

Vendor Apache Software Foundation

Product IBM Cloudant

Affected ≤ 8349