You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wo...@apache.org on 2020/05/19 16:35:04 UTC

[couchdb-documentation] branch 3.0.x updated: 3.0.x cve (#544)

This is an automated email from the ASF dual-hosted git repository.

wohali pushed a commit to branch 3.0.x
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git


The following commit(s) were added to refs/heads/3.0.x by this push:
     new c7dc686  3.0.x cve (#544)
c7dc686 is described below

commit c7dc68612bb5fd3fc3198cbf95d053a787960f29
Author: Joan Touzet <wo...@users.noreply.github.com>
AuthorDate: Tue May 19 16:34:57 2020 +0000

    3.0.x cve (#544)
    
    * feat: new cve, woop
    
    * Update src/cve/2020-1955.rst
    
    Co-authored-by: Jonathan Hall <fl...@flimzy.com>
    
    * Update src/cve/2020-1955.rst
    
    Co-authored-by: Jonathan Hall <fl...@flimzy.com>
    
    * Update src/cve/2020-1955.rst
    
    * Update src/cve/2020-1955.rst
    
    * Remove 3.1.0 reference
    
    Co-authored-by: Jan Lehnardt <ja...@apache.org>
    Co-authored-by: Jonathan Hall <fl...@flimzy.com>
---
 src/cve/2020-1955.rst | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/src/cve/2020-1955.rst b/src/cve/2020-1955.rst
new file mode 100644
index 0000000..a8c63f8
--- /dev/null
+++ b/src/cve/2020-1955.rst
@@ -0,0 +1,59 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2020-1955:
+
+===========================================================
+CVE-2020-1955: Apache CouchDB Remote Privilege Escalation
+===========================================================
+
+:Date: 19.05.2020
+
+:Affected: 3.0.0
+
+:Severity: Medium
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+CouchDB version 3.0.0 shipped with a new configuration setting that
+governs access control to the entire database server called
+`require_valid_user_except_for_up`. It was meant as an extension to the
+long-standing setting `require_valid_user`, which in turn requires that
+any and all requests to CouchDB will have to be made with valid
+credentials, effectively forbidding any anonymous requests.
+
+The new `require_valid_user_except_for_up` is an off-by-default setting
+that was meant to allow requiring valid credentials for all endpoints
+except for the `/_up` endpoint.
+
+However, the implementation of this made an error that lead to not
+enforcing credentials on any endpoint, when enabled.
+
+CouchDB versions :ref:`3.0.1 <release/3.0.1>` and 3.1.0
+fix this issue.
+
+Mitigation
+==========
+
+Users who have not enabled `require_valid_user_except_for_up` are not
+affected.
+
+Users who have it enabled can either disable it again, or upgrade to
+CouchDB versions :ref:`3.0.1 <release/3.0.1>` and 3.1.0.
+
+Credit
+======
+
+This issue was discovered by Stefan Klein.