This is an automated email from the ASF dual-hosted git repository. vatamane pushed a commit to branch add-cve-2023-45725-docs in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit b698022ae04f879ab2738ae9a3833090a4828865 Author: Nick Vatamaniuc <[email protected]> AuthorDate: Tue Dec 12 14:35:14 2023 -0500 Publish CVE-2023-45725 --- src/docs/src/cve/2023-45725.rst | 105 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/src/docs/src/cve/2023-45725.rst b/src/docs/src/cve/2023-45725.rst new file mode 100644 index 000000000..bf9dd6561 --- /dev/null +++ b/src/docs/src/cve/2023-45725.rst @@ -0,0 +1,105 @@ +.. Licensed under the Apache License, Version 2.0 (the "License"); you may not +.. use this file except in compliance with the License. You may obtain a copy of +.. the License at +.. +.. http://www.apache.org/licenses/LICENSE-2.0 +.. +.. Unless required by applicable law or agreed to in writing, software +.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +.. License for the specific language governing permissions and limitations under +.. the License. + +.. _cve/2023-45725: + +=========================================================================== +CVE-2023-45725: Apache CouchDB: Privilege Escalation Using Design Documents +=========================================================================== + +:Date: 12.12.2023 + +:Affected: 3.3.2 and below + +:Severity: Medium + +:Vendor: The Apache Software Foundation + +Description +=========== + +Design document functions which receive a user http request object may expose +authorization or session cookie headers of the user who accesses the document. + +These design document functions are: + * list + * show + * rewrite + * update + +An attacker can leak the session component using an HTML-like output, insert +the session as an external resource (such as an image), or store the credential +in a ``_local`` document with an "update" function. + +For the attack to succeed the attacker has to be able to insert the design +documents into the database, then manipulate a user to access a function from +that design document. + +Mitigation +========== + +CouchDB :ref:`3.3.3 <release/3.3.3>` scrubs the sentive headers from http +request objects passed to the query server execution environment. + +For versions older than :ref:`3.3.3 <release/3.3.3>` this patch applied to the +``loop.js`` file would also mitigate the issue: + +.. code-block:: diff + + diff --git a/share/server/loop.js b/share/server/loop.js + --- a/share/server/loop.js + +++ b/share/server/loop.js + @@ -49,6 +49,20 @@ function create_nouveau_sandbox() { + return sandbox; + } + + +function scrubReq(args) { + + var req = args.pop() + + if (req.method && req.headers && req.peer && req.userCtx) { + + delete req.cookie + + for (var p in req.headers) { + + if (req.headers.hasOwnProperty(p) && ["authorization", "cookie"].indexOf(p.toLowerCase()) !== -1) { + + delete req.headers[p] + + } + + } + + } + + args.push(req) + + return args + +} + + + // Commands are in the form of json arrays: + // ["commandname",..optional args...]\n + // + @@ -85,7 +99,7 @@ var DDoc = (function() { + var funPath = args.shift(); + var cmd = funPath[0]; + // the first member of the fun path determines the type of operation + - var funArgs = args.shift(); + + var funArgs = scrubReq(args.shift()); + if (ddoc_dispatch[cmd]) { + // get the function, call the command with it + var point = ddoc; + +Workarounds +=========== + +Avoid using design documents from untrusted sources which may attempt to access +or manipulate request object's headers. + +Credit +====== + +This issue was found by Natan Nehorai and reported by Or Peles from the JFrog +Vulnerability Research Team. + +It was also independently found by Richard Ellis and Mike Rhodes from +IBM/Cloudant.
