CVE-2017-12635

Apache CouchDB - Arbitrary Command Execution

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.

Debido a las diferencias en el analizador sintáctico de JSON basado en Erlang y el el analizador sintáctico de JSON basado en JavaScript, es posible que, en versiones anteriores a la 1.7.0 y en las versiones 2.x anteriores a la 2.1.1 de Apache CouchDB, se puedan enviar documentos _users con claves duplicadas para "roles" empleados para el control de acceso en la base de datos, incluyendo el caso especial del rol "_admin", que denota a los usuarios administrativos. Esto puede utilizarse conjuntamente con CVE-2017-12636 (ejecución remota de código) para dar acceso a usuarios no administradores a comandos shell arbitrarios en el servidor como el usuario del sistema de la base de datos. Las diferencias entre analizadores sintácticos de JSON resultan en un comportamiento por el cual, si dos claves "roles" están disponibles en el JSON, la segunda se empleará para autorizar la escritura del documento, pero la primera clave "roles" se emplea para la subsecuente autorización para el usuario recientemente creado. Por diseño, los usuarios no pueden asignase roles a sí mismos. La vulnerabilidad permite que usuarios no administradores se autoasignen privilegios de administrador.

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-07 CVE Reserved
2017-11-14 CVE Published
2019-12-15 First Exploit
2024-08-13 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-269: Improper Privilege Management

CAPEC

References (11)

URL	Tag	Source
http://www.securityfocus.com/bid/101868	Third Party Advisory
https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67%40%3Cdev.couchdb.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2018/01/msg00026.html	Mailing List
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us	X_refsource_confirm
https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
https://wiki.apache.org/couchdb/HTTP_database_API

URL	Date	SRC
https://www.exploit-db.com/exploits/45019	2024-09-17
https://www.exploit-db.com/exploits/44498	2024-09-17
https://github.com/assalielmehdi/CVE-2017-12635	2019-12-15
https://github.com/cyberharsh/Apache-couchdb-CVE-2017-12635	2020-08-17

URL	Date	SRC

URL	Date	SRC
https://security.gentoo.org/glsa/201711-16	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Couchdb Search vendor "Apache" for product "Couchdb"				< 1.7.0 Search vendor "Apache" for product "Couchdb" and version " < 1.7.0"		-		Affected
Apache Search vendor "Apache"		Couchdb Search vendor "Apache" for product "Couchdb"				2.0.0 Search vendor "Apache" for product "Couchdb" and version "2.0.0"		-		Affected
Apache Search vendor "Apache"		Couchdb Search vendor "Apache" for product "Couchdb"				2.0.0 Search vendor "Apache" for product "Couchdb" and version "2.0.0"		rc1		Affected
Apache Search vendor "Apache"		Couchdb Search vendor "Apache" for product "Couchdb"				2.0.0 Search vendor "Apache" for product "Couchdb" and version "2.0.0"		rc2		Affected
Apache Search vendor "Apache"		Couchdb Search vendor "Apache" for product "Couchdb"				2.0.0 Search vendor "Apache" for product "Couchdb" and version "2.0.0"		rc3		Affected
Apache Search vendor "Apache"		Couchdb Search vendor "Apache" for product "Couchdb"				2.0.0 Search vendor "Apache" for product "Couchdb" and version "2.0.0"		rc4		Affected