Published: 14/11/2017 Updated: 07/11/2023

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 1000

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB prior to 1.7.0 and 2.x prior to 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache couchdb
apache couchdb 2.0.0

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 170 and 2x before 211 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users In combination wi ...

#!/usr/bin/env python ''' @author: r4wd3r @license: MIT License @contact: r4wd3r@gmailcom ''' import argparse import re import sys import requests parser = argparseArgumentParser( description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' + ' (CVE-2017-12635)') parseradd_argument('host' ...

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper def initialize(inf ...

Apache CouchDB versions 170 and 2x before 211 suffer from a remote privilege escalation vulnerability ...

CouchDB administrative users can configure the database server via HTTP(S) Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB This allows an admin user in Apache CouchDB before 170 and 2x before 211 to execute arbitrary shell commands as the CouchDB user, including do ...

Apache CouchDB versions prior to 210 remote code execution proof of concept exploit ...

Apache CouchDB 170 / 2x < 211 - CVE-2017-12635 - Remote Privilege Escalation Detail Apache CouchDB is a document-oriented NoSQL database, implemented in Erlang Due to the discrepancy between the Erlang-based JSON parser and JavaScript-based JSON parser, there was a vulnerability in CouchDB before 170 and 2x before 211 allowing non-admin users to escalate priv

📝ENUMERATION PORTS !!!📝 Port 21 - FTP 🚀: nmap --script ftp-* -p 21 10111111 Port 22 - SSH 🚀: If you have usernames test login with username:username Vulnerable Versions to user enum: <77 # Enum SSH # Get version nmap 101111 -p22 -sV # Get banner nc 101111 22 # Get login banner ssh root@1011111 # Get algory

CouchDB 1.7.1 for Centos7 RPMs

couchdb17-centos7 You absolutely need to install these ASAP if you are still running 16x It has 2 CVEs listed with remote code execution wwwcvedetailscom/cve/CVE-2017-12636/ wwwcvedetailscom/cve/CVE-2017-12635/ Add erlang-solutionsrepo to /etc/yumreposd Install Erlang 202 to check that the repo works: yum install -y erlang-erts Install files in

Etude_Faille_CVE_12635 & 12636 Travail réalisé dans le cadre de la certification SEOC 2020/2021 Wiki disponible ici pour plus d'explication sur la faille de sécurité étudiée Disponible sur ce dépot Fichier Docker-compose pour isoler le service CouchDB à l'étude dans un container port : 5984 Script

Couchdb 垂直权限绕过漏洞（CVE-2017-12635） Apache CouchDB是一个开源数据库，专注于易用性和成为"完全拥抱web的数据库"。它是一个使用JSON作为存储格式，JavaScript作为查询语言，MapReduce和HTTP作为API的NoSQL数据库。应用广泛，如BBC用在其动态内容展示平台，Credit Suisse用在其内部的商品部�

Case study and POC of CVE-2017-12635: Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

CVE-2017-12635 Case study and PoC of CVE-2017-12635 (Apache CouchDB 170 / 2x < 211) - Remote Privilege Escalation Presentation CouchDB Apache CouchDB is a document-oriented NoSQL database, implemented in Erlang CouchDB uses multiple formats and protocols to store, transfer, and process it's data, it uses JSON to store data, JavaScript as its query language usi

CWE-269 http://www.securityfocus.com/bid/101868 https://security.gentoo.org/glsa/201711-16 https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html https://www.exploit-db.com/exploits/44498/https://www.exploit-db.com/exploits/45019/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E https://nvd.nist.gov https://www.exploit-db.com/exploits/44498/https://github.com/kika/couchdb17-centos7 https://security.archlinux.org/CVE-2017-12635

CVE-2017-12635

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect