2.7. CVE-2014-2668: DoS (CPU and memory consumption) via the count parameter to /_uuids¶
- Date:
26.03.2014
- Affected:
Apache CouchDB releases up to and including 1.3.1, 1.4.0, and 1.5.0 are vulnerable.
- Severity:
Moderate
- Vendor:
The Apache Software Foundation
2.7.1. Description¶
The /_uuids resource’s count query parameter is able to take unreasonable huge numeric value which leads to exhaustion of server resources (CPU and memory) and to DoS as the result.
2.7.2. Mitigation¶
Upgrade to a supported CouchDB release that includes this fix, such as:
All listed releases have included a specific fix to
2.7.3. Work-Around¶
Disable the /_uuids handler completely, by adapting local.ini and restarting CouchDB:
[httpd_global_handlers]
_uuids =