You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wo...@apache.org on 2020/05/19 16:35:04 UTC
[couchdb-documentation] branch 3.0.x updated: 3.0.x cve (#544)
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a commit to branch 3.0.x
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
The following commit(s) were added to refs/heads/3.0.x by this push:
new c7dc686 3.0.x cve (#544)
c7dc686 is described below
commit c7dc68612bb5fd3fc3198cbf95d053a787960f29
Author: Joan Touzet <wo...@users.noreply.github.com>
AuthorDate: Tue May 19 16:34:57 2020 +0000
3.0.x cve (#544)
* feat: new cve, woop
* Update src/cve/2020-1955.rst
Co-authored-by: Jonathan Hall <fl...@flimzy.com>
* Update src/cve/2020-1955.rst
Co-authored-by: Jonathan Hall <fl...@flimzy.com>
* Update src/cve/2020-1955.rst
* Update src/cve/2020-1955.rst
* Remove 3.1.0 reference
Co-authored-by: Jan Lehnardt <ja...@apache.org>
Co-authored-by: Jonathan Hall <fl...@flimzy.com>
---
src/cve/2020-1955.rst | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst
new file mode 100644
index 0000000..a8c63f8
--- /dev/null
+++ b/src/cve/2020-1955.rst
@@ -0,0 +1,59 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2020-1955:
+
+===========================================================
+CVE-2020-1955: Apache CouchDB Remote Privilege Escalation
+===========================================================
+
+:Date: 19.05.2020
+
+:Affected: 3.0.0
+
+:Severity: Medium
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+CouchDB version 3.0.0 shipped with a new configuration setting that
+governs access control to the entire database server called
+`require_valid_user_except_for_up`. It was meant as an extension to the
+long-standing setting `require_valid_user`, which in turn requires that
+any and all requests to CouchDB will have to be made with valid
+credentials, effectively forbidding any anonymous requests.
+
+The new `require_valid_user_except_for_up` is an off-by-default setting
+that was meant to allow requiring valid credentials for all endpoints
+except for the `/_up` endpoint.
+
+However, the implementation of this made an error that lead to not
+enforcing credentials on any endpoint, when enabled.
+
+CouchDB versions :ref:`3.0.1 <release/3.0.1>` and 3.1.0
+fix this issue.
+
+Mitigation
+==========
+
+Users who have not enabled `require_valid_user_except_for_up` are not
+affected.
+
+Users who have it enabled can either disable it again, or upgrade to
+CouchDB versions :ref:`3.0.1 <release/3.0.1>` and 3.1.0.
+
+Credit
+======
+
+This issue was discovered by Stefan Klein.