Vulnerability Details : CVE-2018-17188
Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other vulnerabilities, it allowed full system entry for unauthenticated users. Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, the CouchDB development team decided to make changes to avoid this entire class of vulnerabilities.
Products affected by CVE-2018-17188
- cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
Threat overview for CVE-2018-17188
Top countries where our scanners detected CVE-2018-17188
Top open port discovered on systems with this issue
443
IPs affected by CVE-2018-17188 10
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-17188!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-17188
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-17188
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
References for CVE-2018-17188
-
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03935en_us
HPESBMU03935 rev.1 - HPE Unified OSS Console Software Products using Apache CouchDB, Remote Code Execution, Remote Escalation of Privilege
-
https://blog.couchdb.org/2018/12/17/cve-2018-17188/
Apache CouchDB CVE-2018-17188: Remote Privilege Escalations – CouchDB BlogMitigation;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5FPHVVU5KMRFKQTJPAM3TBGC7LKCWQS/
[SECURITY] Fedora 32 Update: couchdb-3.0.0-1.fc32 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3JOUCX7LHDV4YWZDQNXT5NTKKRANZQW/
[SECURITY] Fedora 31 Update: couchdb-3.0.0-1.fc31 - package-announce - Fedora Mailing-Lists
Jump to