2.13. CVE-2020-1955: Apache CouchDB Remote Privilege Escalation

Date:

19.05.2020

Affected:

3.0.0

Severity:

Medium

Vendor:

The Apache Software Foundation

2.13.1. Description

CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called require_valid_user_except_for_up. It was meant as an extension to the long-standing setting require_valid_user, which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests.

The new require_valid_user_except_for_up is an off-by-default setting that was meant to allow requiring valid credentials for all endpoints except for the /_up endpoint.

However, the implementation of this made an error that lead to not enforcing credentials on any endpoint, when enabled.

CouchDB versions 3.0.1 and 3.1.0 fix this issue.

2.13.2. Mitigation

Users who have not enabled require_valid_user_except_for_up are not affected.

Users who have it enabled can either disable it again, or upgrade to CouchDB versions 3.0.1 and 3.1.0

2.13.3. Credit

This issue was discovered by Stefan Klein.