Bug 662170

Summary:	dev-db/couchdb: Escalation privilege vulnerability (CVE-2018-8007)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	djc
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [ebuild cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2018-07-26 07:22:24 UTC

CVE-2018-8007 (https://nvd.nist.gov/vuln/detail/CVE-2018-8007):
  Apache CouchDB administrative users can configure the database server via
  HTTP(S). Due to insufficient validation of administrator-supplied
  configuration settings via the HTTP API, it is possible for a CouchDB
  administrator user to escalate their privileges to that of the operating
  system's user that CouchDB runs under, by bypassing the blacklist of
  configuration settings that are not allowed to be modified via the HTTP API.
  This privilege escalation effectively allows an existing CouchDB admin user
  to gain arbitrary remote code execution, bypassing already disclosed
  CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases
  1.7.2 or 2.1.2.


@Maintainers please bump and call for stabilization when ready.

Thank you

Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev

2018-07-26 12:58:35 UTC

Whoever maintains this bot, it seems like this is easily recognizable as a duplicate of bug 660908?

*** This bug has been marked as a duplicate of bug 660908 ***