CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-25644
https://notcve.org/view.php?id=CVE-2021-25644
An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to administrators. Se detectó un problema en Couchbase Server versiones 5.x y versiones 6.x hasta 6.6.1 y versión 7.0.0 Beta. Unos comandos incorrectos de la API REST puede resultar que la información de autenticación filtrada sea almacenada en texto sin cifrar en los archivos debug.log e info.log, y también sea mostrado en la Interfaz de Usuario visible para unos administradores • https://www.couchbase.com/downloads https://www.couchbase.com/resources/security#SecurityAlerts • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-25645
https://notcve.org/view.php?id=CVE-2021-25645
An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and stats.log files. NOTE: updating the product does not automatically address leaks that occurred in the past. Se detectó un problema en Couchbase Server versiones anteriores a 6.0.5, 6.1.x hasta versiones 6.5.x anteriores a 6.5.2 y versiones 6.6.x anteriores a 6.6.1. Un usuario interno con privilegios de administrador, @ns_server, filtra las credenciales en texto sin cifrar en los archivos cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log y stats.log. • https://www.couchbase.com/downloads https://www.couchbase.com/resources/security#SecurityAlerts • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2020-9039
https://notcve.org/view.php?id=CVE-2020-9039
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs. Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 a 4.6.5, 5.0.0, 5.1.1, 5.5.0 y 5.5.1 tienen permisos inseguros para puntos finales REST del proyector y del indexador (permiten el acceso no autenticado). El punto final REST / settings expuesto por el proceso del proyector es un punto final que los administradores pueden usar para diversas tareas, como actualizar la configuración y recopilar perfiles de rendimiento. El punto final no se autenticó y se actualizó para permitir solo a los usuarios autenticados acceder a estas API administrativas. • https://www.couchbase.com/resources/security#SecurityAlerts • CWE-276: Incorrect Default Permissions •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11496
https://notcve.org/view.php?id=CVE-2019-11496
In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with sufficient authorization. However, users were allowed unauthenticated and unauthorized access to the "default" bucket if the properties of this bucket were edited. This has been fixed in versions 5.1.0 and 5.5.0. En las versiones de Couchbase Server anteriores a la version 5.0, el depósito denominado "predeterminado" era un depósito especial que permitía el acceso de lectura y escritura sin autenticación. • https://www.couchbase.com/resources/security#SecurityAlerts • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11497
https://notcve.org/view.php?id=CVE-2019-11497
In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the remote cluster. This has been fixed in version 5.5.0. XDCR now checks the validity of the certificate thoroughly and prevents a remote cluster reference from being created with an invalid certificate. En Couchbase Server versión 5.0.0, cuando se ingresó un Certificado de clúster remoto no válido como parte de la creación de referencia, XDCR no analizó ni verificó la firma del certificado. • https://www.couchbase.com/resources/security#SecurityAlerts • CWE-295: Improper Certificate Validation •