JSON parser, it is possible to submit _users documents with duplicate keys for
`roles` used for access control within the database, including the special case
`_admin` role, that denotes administrative users. In combination with
`CVE-2017-12636` (Remote Code Execution), this can be used to give non-admin
users access to arbitrary shell commands on the server as the database system
The JSON parser differences result in behaviour that if two `roles` keys
are available in the JSON, the second one will be used for authorising the
document write, but the first `roles` key is used for subsequent
authorization for the newly created user. By design, users can not assign
themselves roles. The vulnerability allows non-admin users to give
themselves admin privileges.
We addressed this issue by updating the way CouchDB parses JSON in
This issue was discovered by `Max Justicz` (https://mastodon.mit.edu/@maxj)
See also: Max’s own blog post about the issue and the motivation behind
his research: https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
CouchDB administrative users can configure the database server via HTTP(S). Some
of the configuration options include paths for operating system-level binaries
that are subsequently launched by CouchDB. This allows a CouchDB admin user to
execute arbitrary shell commands as the CouchDB user, including downloading
and executing scripts from the public internet.
Reproducible: Didn't try
Bumped 1.7.1, feel free to stabilize.
All arches stable, vulnerable versions cleaned up.
GLSA request filed.
This issue was resolved and addressed in
GLSA 201711-16 at https://security.gentoo.org/glsa/201711-16
by GLSA coordinator Christopher Diaz Riveros (chrisadr).