This is an automated email from the ASF dual-hosted git repository. wohali pushed a commit to branch 3.0.x-cve in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit 93526e498b93b3d1d409809b7844d7aecffa2f16 Author: Jan Lehnardt <[email protected]> AuthorDate: Tue May 19 15:52:16 2020 +0200 feat: new cve, woop --- src/cve/2020-1955.rst | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst new file mode 100644 index 0000000..17345dd --- /dev/null +++ b/src/cve/2020-1955.rst @@ -0,0 +1,60 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + +.. _cve/2020-1955: + +=========================================================== +CVE-2020-1955: Apache CouchDB Remote Privilege Escalations +=========================================================== + +:Date: 19.05.2020 + +:Affected: 3.0.0 + +:Severity: Medium + +:Vendor: The Apache Software Foundation + +Description +=========== + +CouchDB version 3.0.0 shipped with a new configuration setting that +governs access control to the entire database server called +`require_valid_user_except_for_up`. It was meant as an extension to the +long standing setting `require_valid_user`, which in turn requires that +any and all requests to CouchDB will have to be made with valid +credentials, effectively forbidding any anonymous requests. + +The new `require_valid_user_except_for_up` is an off-by-default setting +that was meant to allow requiring valid credentials for all endpoints +except for the `/_up` endpoint. + +However, the implementation of this made an error that lead to not +enforcing credentials on any endpoint, when enabled. + +CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0 +<release/3.1.0>` fix this issue. + +Mitigation +========== + +Users that have not enabled `require_valid_user_except_for_up` are not +affected. + +Users that have it enabled can either disable it again, or upgrade to +CouchDB versions :ref:`3.0.1 <release/3.0.1>` and :ref:`3.1.0 +<release/3.1.0>` + +Credit +====== + +This issue was discovered by Stefan Klein.
