SB2020030622 - Fedora 31 update for couchdb
Published: March 6, 2020 Updated: April 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Privilege escalation (CVE-ID: CVE-2018-8007)
The vulnerability allows a remote administrative attacker to gain elevated privileges on the target system.
The vulnerability exists due to insufficient validation of administrator-supplied configuration settings via the HTTP API. A remote attacker can bypass the blacklist of configuration settings that are not allowed to be modified via the HTTP API and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Privilege escalation (CVE-ID: CVE-2018-11769)
The vulnerability allows a remote administrative attacker to gain elevated privileges on the target system.
The vulnerability exists due to insufficient validation of administrator-supplied configuration settings via the HTTP API. A remote attacker can bypass the blacklist of configuration settings that are not allowed to be modified via the HTTP API and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2018-17188)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to CouchDB allows runtime-configuration of key components of the database. A CouchDB administrator can gain access to operating system components and execute code on the system with privileges of the CouchDB system user account.
Remediation
Install update from vendor's website.