CVE-2022-24706 log

Source
Severity Critical
Remote Yes
Type Privilege escalation
Description
An attacker can access an improperly secured default installation without authenticating and gain admin privileges.

CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of 'monster'. Installations that upgrade to this versions are forced to choose a different value.
In addition, all binary packages have been updated to bind epmd as well as the CouchDB distribution port to 127.0.0.1 and/or ::1 respectively.
Group Package Affected Fixed Severity Status Ticket
AVG-2708 couchdb 3.2.1-1 3.2.2-2 Critical Not affected
References
https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
http://www.openwall.com/lists/oss-security/2022/04/26/1
https://docs.couchdb.org/en/stable/setup/cluster.html