16.7. CVE-2014-2668: DoS (CPU and memory consumption) via the count parameter to /_uuids

Date:26.03.2014
Affected:Apache CouchDB releases up to and including 1.3.1, 1.4.0, and 1.5.0 are vulnerable.
Severity:Moderate
Vendor:The Apache Software Foundation

16.7.1. Description

The /_uuids resource’s count query parameter is able to take unreasonable huge numeric value which leads to exhaustion of server resources (CPU and memory) and to DoS as the result.

16.7.2. Mitigation

Upgrade to a supported CouchDB release that includes this fix, such as:

All listed releases have included a specific fix to

16.7.3. Work-Around

Disable the /_uuids handler completely, by adapting local.ini and restarting CouchDB:

[httpd_global_handlers]
_uuids =

Table Of Contents

Previous topic

16.6. CVE-2012-5650: DOM based Cross-Site Scripting via Futon UI

Next topic

18. About CouchDB Documentation

More Help