On 2020-05-20 3:52 p.m., Andrea Brancatelli wrote:
Thanks Joan,
You’re accurate as usual.
Do you think it’s worth writing to exploit-db to correct those misleading
reports?
Well, it says the exploit is "unconfirmed," which I think means it's
just some random user's submission. I think it's meaningless enough (and
easily explainable, by pointing anyone to this public email thread via
https://lists.apache.org/) to not warrant official project action, but
if you want, you're welcome to write to them :)
-Joan "late nights this week" Touzet
Inviato da iPhone
Il giorno 20 mag 2020, alle ore 19:29, Joan Touzet <[email protected]> ha
scritto:
Hi Andrea,
On 2020-05-20 9:37, Andrea Brancatelli wrote:
A client sent us a link about a supposed security problem with one of
our couchdb 2.3.1 instances.
He related to this https://www.exploit-db.com/exploits/46595 which, to
me, seems a quite confused report that, I guess, can be related to a
"out of the box" couchdb setup in admin party.
I agree.
The first 3 things are just showing that, in admin party, you can create a DB,
delete a DB, and create a document. This is nothing new.
#4 is showing you can create an admin on a new install if there is no admin
there already. Same thing.
#5 and #6 are nonsense entries, in that they are adding nonsense config
settings through the admin config API. Not only are these not possible once you
leave admin party, junk in the config file like this will be ignored.
There is no new exploit or CVE here.
Am I wrong? Do a correctly setup couchdb with a local admin and correct
grants to the dbs suffer of that issue?
Nope! In short, none of this is possible once you disable admin party - except
for #3 in 2.x, and that's fixable by tightening up each DB's _security.
Thanks.
-Joan "open by default is confusing in 2020" Touzet
