.. Licensed under the Apache License, Version 2.0 (the "License"); you may not .. use this file except in compliance with the License. You may obtain a copy of .. the License at .. .. http://www.apache.org/licenses/LICENSE-2.0 .. .. Unless required by applicable law or agreed to in writing, software .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the .. License for the specific language governing permissions and limitations under .. the License. .. _cve/2017-12636: ==================================================== CVE-2017-12636: Apache CouchDB Remote Code Execution ==================================================== :Date: 14.11.2017 :Affected: All Versions of Apache CouchDB :Severity: Critical :Vendor: The Apache Software Foundation Description =========== CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet. Mitigation ========== All users should upgrade to CouchDB :ref:`1.7.1 ` or :ref:`2.1.1 `. Upgrades from previous 1.x and 2.x versions in the same series should be seamless. Users on earlier versions, or users upgrading from 1.x to 2.x should consult with upgrade notes. Credit ====== This issue was discovered by `Joan Touzet`_ of the CouchDB Security team during the investigation of :ref:`CVE-2017-12635 `. .. _Joan Touzet: http://www.atypical.net