Hi Andrea,
On 2020-05-20 9:37, Andrea Brancatelli wrote:
A client sent us a link about a supposed security problem with one of
our couchdb 2.3.1 instances.
He related to this https://www.exploit-db.com/exploits/46595 which, to
me, seems a quite confused report that, I guess, can be related to a
"out of the box" couchdb setup in admin party.
I agree.
The first 3 things are just showing that, in admin party, you can create
a DB, delete a DB, and create a document. This is nothing new.
#4 is showing you can create an admin on a new install if there is no
admin there already. Same thing.
#5 and #6 are nonsense entries, in that they are adding nonsense config
settings through the admin config API. Not only are these not possible
once you leave admin party, junk in the config file like this will be
ignored.
There is no new exploit or CVE here.
Am I wrong? Do a correctly setup couchdb with a local admin and correct
grants to the dbs suffer of that issue?
Nope! In short, none of this is possible once you disable admin party -
except for #3 in 2.x, and that's fixable by tightening up each DB's
_security.
Thanks.
-Joan "open by default is confusing in 2020" Touzet
