2.14. CVE-2021-38295: Apache CouchDB Privilege Escalation¶
|Affected:||3.1.1 and below|
|Vendor:||The Apache Software Foundation|
This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes.
CouchDB 3.2.0 and onwards adds Content-Security-Policy headers for all attachment, _show and _list requests. This breaks certain niche use-cases and there are configuration options to restore the previous behaviour for those who need it.
CouchDB 3.1.2 defaults to the previous behaviour, but adds configuration options to turn Content-Security-Policy headers on for all affected requests.