2.14. CVE-2021-38295: Apache CouchDB Privilege Escalation¶
3.1.1 and below
The Apache Software Foundation
This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes.
CouchDB 3.2.0 and onwards adds Content-Security-Policy headers for all attachment, _show and _list requests. This breaks certain niche use-cases and there are configuration options to restore the previous behaviour for those who need it.
CouchDB 3.1.2 defaults to the previous behaviour, but adds configuration options to turn Content-Security-Policy headers on for all affected requests.
This issue was identified by Cory Sabol of Secure Ideas.