662170 – dev-db/couchdb: Escalation privilege vulnerability (CVE-2018-8007)

Bug 662170 - dev-db/couchdb: Escalation privilege vulnerability (CVE-2018-8007)

Summary: dev-db/couchdb: Escalation privilege vulnerability (CVE-2018-8007)

Status:	RESOLVED DUPLICATE of bug 660908

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [ebuild cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-07-26 07:22 UTC by GLSAMaker/CVETool Bot
Modified:	2018-07-26 12:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-07-26 07:22:24 UTC

CVE-2018-8007 (https://nvd.nist.gov/vuln/detail/CVE-2018-8007):
  Apache CouchDB administrative users can configure the database server via
  HTTP(S). Due to insufficient validation of administrator-supplied
  configuration settings via the HTTP API, it is possible for a CouchDB
  administrator user to escalate their privileges to that of the operating
  system's user that CouchDB runs under, by bypassing the blacklist of
  configuration settings that are not allowed to be modified via the HTTP API.
  This privilege escalation effectively allows an existing CouchDB admin user
  to gain arbitrary remote code execution, bypassing already disclosed
  CVE-2017-12636. Mitigation: All users should upgrade to CouchDB releases
  1.7.2 or 2.1.2.


@Maintainers please bump and call for stabilization when ready.

Thank you

Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev

2018-07-26 12:58:35 UTC

Whoever maintains this bot, it seems like this is easily recognizable as a duplicate of bug 660908?

*** This bug has been marked as a duplicate of bug 660908 ***