2.16. CVE-2023-26268: Apache CouchDB: Information sharing via couchjs processes

Date

02.05.2023

Affected

3.3.1 and below, 3.2.2 and below

Severity

Medium

Vendor

The Apache Software Foundation

2.16.1. Description

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions:

• validate_doc_update

• list

• filter

• filter views (using view functions as filters)

• rewrite

• update

This doesn’t affect map/reduce or search (Dreyfus) index functions.

2.16.2. Mitigation

CouchDB 3.3.2 and 3.2.3 and onwards matches Javascript execution processes by database names in addition to design document IDs when processing the affected design document functions.

2.16.3. Workarounds

Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.

2.16.4. Credit

This issue was identified by Nick Vatamaniuc