// For flags

CVE-2019-11464

 

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and X-XSS-Protection, which are more generally applicable to HTML endpoint, to be included too. These headers were not included in Couchbase Server 5.5.0 and 5.1.2 . They are now included in version 6.0.2 in responses from the Couchbase Server Views REST API (port 8092).

Algunas empresas requieren que los puntos finales API REST incluyan encabezados relacionados con la seguridad en las respuestas REST. Los encabezados como X-Frame-Options y X-Content-Type-Options son generalmente recomendables, sin embargo, algunos profesionales de seguridad de la información también buscan X-Permitted-Cross-Domain-Policies y X-XSS-Protection, que son más generalmente aplicables a Punto final HTML, para ser incluido también. Estos encabezados no se incluyeron en Couchbase Server 5.5.0 y 5.1.2. Ahora se incluyen en la versión 6.0.2 en las respuestas de la API REST de Couchbase Server Views (puerto 8092).

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-04-22 CVE Reserved
  • 2019-09-10 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://www.couchbase.com/resources/security#SecurityAlerts 2019-09-26
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Couchbase
Search vendor "Couchbase"
 Couchbase Server
Search vendor "Couchbase" for product "Couchbase Server"
 5.1.2
Search vendor "Couchbase" for product "Couchbase Server" and version "5.1.2"
-
Affected
Couchbase
Search vendor "Couchbase"
 Couchbase Server
Search vendor "Couchbase" for product "Couchbase Server"
 5.5.0
Search vendor "Couchbase" for product "Couchbase Server" and version "5.5.0"
-
Affected