CVE-2021-38295 log

Severity Medium
Remote Yes
Type Privilege escalation
A security issue has been found in Apache CouchDB before version 3.1.2. A malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated `_show` and `_list` functionality.

This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes.
Group Package Affected Fixed Severity Status Ticket
AVG-2458 couchdb 3.1.1-4 3.1.2-1 Medium Fixed