资产安全
商业安全
安全服务
返回- 发布日期2020-05-19
- 感知时间2020-05-19
- 漏洞类型安全更新
- 风险等级中危
- 更新版本未知
- 情报贡献TSRC
2.13. CVE-2020-1955: Apache CouchDB Remote Privilege Escalation
<br/>2.13. CVE-2020-1955: Apache CouchDB Remote Privilege Escalation<br/><br/><br/><br/><br/>Date:19.05.2020<br/><br/>Affected:3.0.0<br/><br/>Severity:Medium<br/><br/>Vendor:The Apache Software Foundation<br/><br/><br/><br/><br/>2.13.1. Description<br/>CouchDB version 3.0.0 shipped with a new configuration setting that<br/>governs access control to the entire database server called<br/>require_valid_user_except_for_up. It was meant as an extension to the<br/>long-standing setting require_valid_user, which in turn requires that<br/>any and all requests to CouchDB will have to be made with valid<br/>credentials, effectively forbidding any anonymous requests.<br/>The new require_valid_user_except_for_up is an off-by-default setting<br/>that was meant to allow requiring valid credentials for all endpoints<br/>except for the /_up endpoint.<br/>However, the implementation of this made an error that lead to not<br/>enforcing credentials on any endpoint, when enabled.<br/>CouchDB versions 3.0.1 and 3.1.0 fix this issue.<br/><br/><br/>2.13.2. Mitigation<br/>Users who have not enabled require_valid_user_except_for_up are not<br/>affected.<br/>Users who have it enabled can either disable it again, or upgrade to<br/>CouchDB versions 3.0.1 and 3.1.0<br/><br/><br/>2.13.3. Credit<br/>This issue was discovered by Stefan Klein.<br/><br/>
CouchDB 是一个开源的面向文档的数据库管理系统,可以通过 RESTful JavaScript Object Notation (JSON) API 访问
<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1955">CVE-2020-1955</a></p>
暂无
暂无
http://docs.couchdb.org/en/stable/cve/2020-1955.html
微信扫码关注公众号
