Thanks Joan, You’re accurate as usual.
Do you think it’s worth writing to exploit-db to correct those misleading reports? Inviato da iPhone > Il giorno 20 mag 2020, alle ore 19:29, Joan Touzet <[email protected]> ha > scritto: > > Hi Andrea, > >> On 2020-05-20 9:37, Andrea Brancatelli wrote: >> A client sent us a link about a supposed security problem with one of >> our couchdb 2.3.1 instances. >> He related to this https://www.exploit-db.com/exploits/46595 which, to >> me, seems a quite confused report that, I guess, can be related to a >> "out of the box" couchdb setup in admin party. > > I agree. > > The first 3 things are just showing that, in admin party, you can create a > DB, delete a DB, and create a document. This is nothing new. > > #4 is showing you can create an admin on a new install if there is no admin > there already. Same thing. > > #5 and #6 are nonsense entries, in that they are adding nonsense config > settings through the admin config API. Not only are these not possible once > you leave admin party, junk in the config file like this will be ignored. > > There is no new exploit or CVE here. > >> Am I wrong? Do a correctly setup couchdb with a local admin and correct >> grants to the dbs suffer of that issue? > > Nope! In short, none of this is possible once you disable admin party - > except for #3 in 2.x, and that's fixable by tightening up each DB's _security. > >> Thanks. > > -Joan "open by default is confusing in 2020" Touzet
