<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-38295 Apache CouchDB <= 3.1.1 privilege escalation
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Jan Lehnardt <jan () apache org>
Date: Tue, 12 Oct 2021 10:56:13 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Description
===========
A malicious user with permission to create documents in a
database is able to attach a HTML attachment to a document.
If a CouchDB admin opens that attachment in a browser, e.g.
via the CouchDB admin interface Fauxton, any JavaScript code
embedded in that HTML attachment will be executed within the
security context of that admin. A similar route is available
with thealready deprecated `_show` and `_list` functionality.
This *privilege escalation* vulnerability allows an attacker
to add or remove data in any database or make configuration
changes.
Mitigation
==========
CouchDB 3.2.0 and onwards adds `Content-Security-Policy`
headers for all attachment, `_show` and `_list` requests.
This breaks certain niche use-cases and there are
configuration options to restore the previous behaviour for
those who need it.
CouchDB 3.1.2 defaults to the previous behaviour, but adds
configuration options to turn `Content-Security-Policy` headers
on for all affected requests.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-38295 Apache CouchDB <= 3.1.1 privilege escalation Jan Lehnardt (Oct 12)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->