CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-42763
https://notcve.org/view.php?id=CVE-2021-42763
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request. Couchbase Server versiones anteriores a 6.6.3 y 7.x anteriores a 7.0.2, almacena información confidencial en texto sin cifrar. El problema se produce cuando el administrador de clústeres reenvía una petición HTTP desde la UI pluggable (query workbench, etc.) al servicio específico. • https://docs.couchbase.com/server/current/release-notes/relnotes.html https://www.couchbase.com/alerts • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-35945
https://notcve.org/view.php?id=CVE-2021-35945
Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached. Couchbase Server versiones 6.5.x, 6.6.0 hasta 6.6.2, y 7.0.0, presenta un desbordamiento del búfer. Un paquete de red especialmente diseñado enviado por un atacante puede bloquear memcached • https://docs.couchbase.com/server/current/release-notes/relnotes.html https://www.couchbase.com/alerts • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-25645
https://notcve.org/view.php?id=CVE-2021-25645
An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and stats.log files. NOTE: updating the product does not automatically address leaks that occurred in the past. Se detectó un problema en Couchbase Server versiones anteriores a 6.0.5, 6.1.x hasta versiones 6.5.x anteriores a 6.5.2 y versiones 6.6.x anteriores a 6.6.1. Un usuario interno con privilegios de administrador, @ns_server, filtra las credenciales en texto sin cifrar en los archivos cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log y stats.log. • https://www.couchbase.com/downloads https://www.couchbase.com/resources/security#SecurityAlerts • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2020-9039
https://notcve.org/view.php?id=CVE-2020-9039
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs. Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 a 4.6.5, 5.0.0, 5.1.1, 5.5.0 y 5.5.1 tienen permisos inseguros para puntos finales REST del proyector y del indexador (permiten el acceso no autenticado). El punto final REST / settings expuesto por el proceso del proyector es un punto final que los administradores pueden usar para diversas tareas, como actualizar la configuración y recopilar perfiles de rendimiento. El punto final no se autenticó y se actualizó para permitir solo a los usuarios autenticados acceder a estas API administrativas. • https://www.couchbase.com/resources/security#SecurityAlerts • CWE-276: Incorrect Default Permissions •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11496
https://notcve.org/view.php?id=CVE-2019-11496
In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with sufficient authorization. However, users were allowed unauthenticated and unauthorized access to the "default" bucket if the properties of this bucket were edited. This has been fixed in versions 5.1.0 and 5.5.0. En las versiones de Couchbase Server anteriores a la version 5.0, el depósito denominado "predeterminado" era un depósito especial que permitía el acceso de lectura y escritura sin autenticación. • https://www.couchbase.com/resources/security#SecurityAlerts • CWE-306: Missing Authentication for Critical Function •