17.9. CVE-2017-12636: Apache CouchDB Remote Code Execution¶
|Affected:||All Versions of Apache CouchDB|
|Vendor:||The Apache Software Foundation|
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
Upgrades from previous 1.x and 2.x versions in the same series should be seamless.
Users on earlier versions, or users upgrading from 1.x to 2.x should consult with upgrade notes.