2.5. CVE-2012-5649: JSONP arbitrary code execution with Adobe Flash

Date

14.01.2013

Affected

Releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable, if administrators have enabled JSONP.

Severity

Moderate

Vendor

The Apache Software Foundation

2.5.1. Description

A hand-crafted JSONP callback and response can be used to run arbitrary code inside client-side browsers via Adobe Flash.

2.5.2. Mitigation

Upgrade to a supported CouchDB release that includes this fix, such as:

• 1.0.4

• 1.1.2

• 1.2.1

• 1.3.x

All listed releases have included a specific fix.

2.5.3. Work-Around

Disable JSONP or don’t enable it since it’s disabled by default.