CVE-2022-24706

Summary

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CouchDBApache CouchDB <= 3.2.1affected

Weaknesses

  • CWE-1188: CWE-1188 Insecure Default Initialization of Resource

Workarounds

CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of monster. Installations that upgrade to this versions are forced to choose a different value.

In addition, all binary packages have been updated to bind epmd as well as the CouchDB distribution port to 127.0.0.1 and/or ::1 respectively.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References