AVG-495

Package couchdb
Status Fixed
Severity High
Type multiple issues
Affected 2.1.0-1
Fixed 2.1.1-1
Current 2.3.0-2 [community]
Ticket None
Created Thu Nov 16 16:09:32 2017
Issue Severity Remote Type Description
CVE-2017-12636 Medium Yes Arbitrary command execution
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level...
CVE-2017-12635 High Yes Privilege escalation
Due to differences in the Erlang-based JSON parser and JavaScript- based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to...
Date Advisory Package Description
16 Nov 2017 ASA-201711-24 couchdb multiple issues
References
https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
https://justi.cz/security/2017/11/14/couchdb-rce-npm.html