.. Licensed under the Apache License, Version 2.0 (the "License"); you may not .. use this file except in compliance with the License. You may obtain a copy of .. the License at .. .. http://www.apache.org/licenses/LICENSE-2.0 .. .. Unless required by applicable law or agreed to in writing, software .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the .. License for the specific language governing permissions and limitations under .. the License. .. _cve/2017-12635: ========================================================== CVE-2017-12635: Apache CouchDB Remote Privilege Escalation ========================================================== :Date: 14.11.2017 :Affected: All Versions of Apache CouchDB :Severity: Critical :Vendor: The Apache Software Foundation Description =========== Due to differences in CouchDB’s Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for `roles` used for access control within the database, including the special case `_admin` role, that denotes administrative users. In combination with :ref:`CVE-2017-12636 ` (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. Mitigation ========== All users should upgrade to CouchDB :ref:`1.7.1 ` or :ref:`2.1.1 `. Upgrades from previous 1.x and 2.x versions in the same series should be seamless. Users on earlier versions, or users upgrading from 1.x to 2.x should consult with upgrade notes. Example ======= The JSON parser differences result in behaviour that if two `roles` keys are available in the JSON, the second one will be used for authorising the document write, but the first `roles` key is used for subsequent authorisation for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges. We addressed this issue by updating the way CouchDB parses JSON in Erlang, mimicking the JavaScript behaviour of picking the last key, if duplicates exist. Credit ====== This issue was discovered by `Max Justicz`_. .. _Max Justicz: https://mastodon.mit.edu/@maxj