CVE-2022-24706 log
| Source |
|
| Severity | Critical |
| Remote | Yes |
| Type | Privilege escalation |
| Description | An attacker can access an improperly secured default installation without authenticating and gain admin privileges. CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of 'monster'. Installations that upgrade to this versions are forced to choose a different value. In addition, all binary packages have been updated to bind epmd as well as the CouchDB distribution port to 127.0.0.1 and/or ::1 respectively. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2708 | couchdb | 3.2.1-1 | 3.2.2-2 | Critical | Not affected |
| References |
|---|
https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 http://www.openwall.com/lists/oss-security/2022/04/26/1 https://docs.couchdb.org/en/stable/setup/cluster.html |