An attacker can access an improperly secured default installation without authenticating and gain admin privileges. CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of 'monster'. Installations that upgrade to this versions are forced to choose a different value. In addition, all binary packages have been updated to bind epmd as well as the CouchDB distribution port to 127.0.0.1 and/or ::1 respectively.
An attacker can access an improperly secured default installation without authenticating and gain admin privileges. CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of 'monster'. Installations that upgrade to this versions are forced to choose a different value. In addition, all binary packages have been updated to bind epmd as well as the CouchDB distribution port to 127.0.0.1 and/or ::1 respectively.
https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00