.. Licensed under the Apache License, Version 2.0 (the "License"); you may not .. use this file except in compliance with the License. You may obtain a copy of .. the License at .. .. http://www.apache.org/licenses/LICENSE-2.0 .. .. Unless required by applicable law or agreed to in writing, software .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the .. License for the specific language governing permissions and limitations under .. the License. .. _cve/2021-38295: =========================================================== CVE-2021-38295: Apache CouchDB Privilege Escalation =========================================================== :Date: 12.10.2021 :Affected: 3.1.1 and below :Severity: Low :Vendor: The Apache Software Foundation Description =========== A malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated `_show` and `_list` functionality. This *privilege escalation* vulnerability allows an attacker to add or remove data in any database or make configuration changes. Mitigation ========== CouchDB :ref:`3.2.0 ` and onwards adds `Content-Security-Policy` headers for all attachment, `_show` and `_list` requests. This breaks certain niche use-cases and there are configuration options to restore the previous behaviour for those who need it. CouchDB :ref:`3.1.2 ` defaults to the previous behaviour, but adds configuration options to turn `Content-Security-Policy` headers on for all affected requests. Credit ====== This issue was identified by `Cory Sabol`_ of `Secure Ideas`_. .. _Secure Ideas: https://secureideas.com/ .. _Cory Sabol: mailto:cory@secureideas.com