You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2021/10/12 08:31:24 UTC
[couchdb-documentation] branch feat/cve-2021-38295 created (now
fb95278)
This is an automated email from the ASF dual-hosted git repository.
jan pushed a change to branch feat/cve-2021-38295
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git.
at fb95278 feat: 3.1.2 what’s new
This branch includes the following new commits:
new 11bdd83 feat: CVE 2021-38295
new fb95278 feat: 3.1.2 what’s new
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[couchdb-documentation] 01/02: feat: CVE 2021-38295
Posted by ja...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jan pushed a commit to branch feat/cve-2021-38295
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit 11bdd835914f400aa72655c4d29f31e11dbebc2d
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Sat Oct 9 11:59:26 2021 +0200
feat: CVE 2021-38295
---
src/cve/2021-38295.rst | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/src/cve/2021-38295.rst b/src/cve/2021-38295.rst
new file mode 100644
index 0000000..db323de
--- /dev/null
+++ b/src/cve/2021-38295.rst
@@ -0,0 +1,58 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2021-38295:
+
+===========================================================
+CVE-2021-38295: Apache CouchDB Privilege Escalation
+===========================================================
+
+:Date: 12.10.2021
+
+:Affected: 3.1.1 and below
+
+:Severity: Low
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+A malicious user with permission to create documents in a database is able
+to attach a HTML attachment to a document. If a CouchDB admin opens that
+attachment in a browser, e.g. via the CouchDB admin interface Fauxton,
+any JavaScript code embedded in that HTML attachment will be executed within
+the security context of that admin. A similar route is available with the
+already deprecated `_show` and `_list` functionality.
+
+This *privilege escalation* vulnerability allows an attacker to add or remove
+data in any database or make configuration changes.
+
+Mitigation
+==========
+
+CouchDB :ref:`3.2.0 <release/3.2.0>` and onwards adds `Content-Security-Policy`
+headers for all attachment, `_show` and `_list` requests. This breaks certain
+niche use-cases and there are configuration options to restore the previous
+behaviour for those who need it.
+
+CouchDB :ref:`3.1.2 <release/3.1.2>` defaults to the previous behaviour, but
+adds configuration options to turn `Content-Security-Policy` headers on for
+all affected requests.
+
+Credit
+======
+
+This issue was identified by `Cory Sabol`_ of `Secure Ideas`_.
+
+.. _Secure Ideas: https://secureideas.com/
+.. _Cory Sabol: mailto:cory@secureideas.com
[couchdb-documentation] 02/02: feat: 3.1.2 what’s new
Posted by ja...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jan pushed a commit to branch feat/cve-2021-38295
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git
commit fb952784775372730ba62a139a83babde645f3b4
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Tue Oct 5 11:24:01 2021 +0200
feat: 3.1.2 what’s new
---
src/whatsnew/3.1.rst | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/whatsnew/3.1.rst b/src/whatsnew/3.1.rst
index 298f023..5715b42 100644
--- a/src/whatsnew/3.1.rst
+++ b/src/whatsnew/3.1.rst
@@ -20,6 +20,16 @@
:depth: 1
:local:
+.. _release/3.1.2:
+
+Version 3.1.2
+=============
+
+This is a security release for a *low severity* vulnerability. Details of
+the issue will be published one week after this release. See the `CVE
+database <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38295>`_
+for details at a later time.
+
.. _release/3.1.1:
Version 3.1.1