You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by ja...@apache.org on 2021/10/12 08:31:56 UTC

[couchdb-documentation] branch main updated (dd10275 -> e43098d)

This is an automated email from the ASF dual-hosted git repository.

jan pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git.


    from dd10275  use regular expressions
     new 392daeb  feat: CVE 2021-38295
     new e43098d  feat: 3.1.2 what’s new

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 src/cve/2021-38295.rst | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
 src/whatsnew/3.1.rst   | 10 +++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 src/cve/2021-38295.rst

[couchdb-documentation] 02/02: feat: 3.1.2 what’s new

Posted by ja...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git

commit e43098d5cf574490c6cc3879c5248e707213c82d
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Tue Oct 5 11:24:01 2021 +0200

    feat: 3.1.2 what’s new
---
 src/whatsnew/3.1.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/whatsnew/3.1.rst b/src/whatsnew/3.1.rst
index 298f023..5715b42 100644
--- a/src/whatsnew/3.1.rst
+++ b/src/whatsnew/3.1.rst
@@ -20,6 +20,16 @@
     :depth: 1
     :local:
 
+.. _release/3.1.2:
+
+Version 3.1.2
+=============
+
+This is a security release for a *low severity* vulnerability. Details of
+the issue will be published one week after this release. See the `CVE
+database <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38295>`_
+for details at a later time.
+
 .. _release/3.1.1:
 
 Version 3.1.1

[couchdb-documentation] 01/02: feat: CVE 2021-38295

Posted by ja...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git

commit 392daebae57cae6c2aa2ef6f49bbbad083ea521a
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Sat Oct 9 11:59:26 2021 +0200

    feat: CVE 2021-38295
---
 src/cve/2021-38295.rst | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/src/cve/2021-38295.rst b/src/cve/2021-38295.rst
new file mode 100644
index 0000000..db323de
--- /dev/null
+++ b/src/cve/2021-38295.rst
@@ -0,0 +1,58 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2021-38295:
+
+===========================================================
+CVE-2021-38295: Apache CouchDB Privilege Escalation
+===========================================================
+
+:Date: 12.10.2021
+
+:Affected: 3.1.1 and below
+
+:Severity: Low
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+A malicious user with permission to create documents in a database is able
+to attach a HTML attachment to a document. If a CouchDB admin opens that
+attachment in a browser, e.g. via the CouchDB admin interface Fauxton,
+any JavaScript code embedded in that HTML attachment will be executed within
+the security context of that admin. A similar route is available with the
+already deprecated `_show` and `_list` functionality.
+
+This *privilege escalation* vulnerability allows an attacker to add or remove
+data in any database or make configuration changes.
+
+Mitigation
+==========
+
+CouchDB :ref:`3.2.0 <release/3.2.0>`  and onwards adds `Content-Security-Policy`
+headers for all attachment, `_show` and `_list` requests. This breaks certain
+niche use-cases and there are configuration options to restore the previous
+behaviour for those who need it.
+
+CouchDB :ref:`3.1.2 <release/3.1.2>`  defaults to the previous behaviour, but
+adds configuration options to turn `Content-Security-Policy` headers on for
+all affected requests.
+
+Credit
+======
+
+This issue was identified by `Cory Sabol`_ of `Secure Ideas`_.
+
+.. _Secure Ideas: https://secureideas.com/
+.. _Cory Sabol: mailto:cory@secureideas.com