CVE-2020-9042
https://notcve.org/view.php?id=CVE-2020-9042
In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request. En Couchbase Server versión 6.0, las credenciales almacenadas en memoria caché por un navegador pueden ser usadas para llevar a cabo un ataque de tipo CSRF si un administrador ha usado su navegador para comprobar los resultados de una petición de la API REST • https://www.couchbase.com/resources/security#SecurityAlerts • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-11466
https://notcve.org/view.php?id=CVE-2019-11466
In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access. En Couchbase Server versiones 6.0.0 y 5.5.0, el servicio de eventos expone el perfil de diagnóstico del sistema a través de un punto final HTTP que no requiere credenciales en un puerto destinado solo para tráfico interno. Esto se solucionó en la versión 6.0.1 y ahora requiere credenciales válidas para acceder. • https://www.couchbase.com/resources/security#SecurityAlerts • CWE-306: Missing Authentication for Critical Function •
CVE-2019-11465
https://notcve.org/view.php?id=CVE-2019-11465
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted. Se detectó un problema en Couchbase Server versiones 5.5.x hasta 5.5.3 y versión 6.0.0. • https://www.couchbase.com/resources/security#SecurityAlerts • CWE-532: Insertion of Sensitive Information into Log File •