CVE-2022-24706 - log back

CVE-2022-24706 edited at 14 May 2022 21:34:49
References
https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
+ http://www.openwall.com/lists/oss-security/2022/04/26/1
+ https://docs.couchdb.org/en/stable/setup/cluster.html
CVE-2022-24706 edited at 13 May 2022 09:12:19
Description
An attacker can access an improperly secured default installation without authenticating and gain admin privileges.
- CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of `monster`. Installations that upgrade to this versions are forced to choose a different value.
+ CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of 'monster'. Installations that upgrade to this versions are forced to choose a different value.
- In addition, all binary packages have been updated to bind `epmd` as well as the CouchDB distribution port to `127.0.0.1` and/or `::1` respectively.
+ In addition, all binary packages have been updated to bind epmd as well as the CouchDB distribution port to 127.0.0.1 and/or ::1 respectively.
CVE-2022-24706 edited at 13 May 2022 09:11:37
Description
An attacker can access an improperly secured default installation without authenticating and gain admin privileges.
+
+ CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of `monster`. Installations that upgrade to this versions are forced to choose a different value.
+ In addition, all binary packages have been updated to bind `epmd` as well as the CouchDB distribution port to `127.0.0.1` and/or `::1` respectively.
CVE-2022-24706 created at 13 May 2022 09:07:39
Severity
+ Critical
Remote
+ Remote
Type
+ Privilege escalation
Description
+ An attacker can access an improperly secured default installation without authenticating and gain admin privileges.
References
+ https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
Notes