CVE-2017-12636 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Arbitrary command execution
Description	CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-495	couchdb	2.1.0-1	2.1.1-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
16 Nov 2017	ASA-201711-24	AVG-495	couchdb	High	multiple issues

References
http://docs.couchdb.org/en/2.2.0/cve/2017-12636.html https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E https://github.com/apache/couchdb/commit/da27d4dcc7a98c76486f97c356f1c0f4a614b48b

References

http://docs.couchdb.org/en/2.2.0/cve/2017-12636.html
https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
https://github.com/apache/couchdb/commit/da27d4dcc7a98c76486f97c356f1c0f4a614b48b