2.17. CVE-2023-45725: Apache CouchDB: Privilege Escalation Using Design Documents¶
- Date:
12.12.2023
- Affected:
3.3.2 and below
- Severity:
Medium
- Vendor:
The Apache Software Foundation
2.17.1. Description¶
Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.
- These design document functions are:
list
show
rewrite
update
An attacker can leak the session component using an HTML-like output, insert
the session as an external resource (such as an image), or store the credential
in a _local
document with an “update” function.
For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.
2.17.2. Mitigation¶
CouchDB 3.3.3 scrubs the sensitive headers from http request objects passed to the query server execution environment.
For versions older than 3.3.3 this patch applied to the
loop.js
file would also mitigate the issue:
diff --git a/share/server/loop.js b/share/server/loop.js
--- a/share/server/loop.js
+++ b/share/server/loop.js
@@ -49,6 +49,20 @@ function create_nouveau_sandbox() {
return sandbox;
}
+function scrubReq(args) {
+ var req = args.pop()
+ if (req.method && req.headers && req.peer && req.userCtx) {
+ delete req.cookie
+ for (var p in req.headers) {
+ if (req.headers.hasOwnProperty(p) && ["authorization", "cookie"].indexOf(p.toLowerCase()) !== -1) {
+ delete req.headers[p]
+ }
+ }
+ }
+ args.push(req)
+ return args
+}
+
// Commands are in the form of json arrays:
// ["commandname",..optional args...]\n
//
@@ -85,7 +99,7 @@ var DDoc = (function() {
var funPath = args.shift();
var cmd = funPath[0];
// the first member of the fun path determines the type of operation
- var funArgs = args.shift();
+ var funArgs = scrubReq(args.shift());
if (ddoc_dispatch[cmd]) {
// get the function, call the command with it
var point = ddoc;
2.17.3. Workarounds¶
Avoid using design documents from untrusted sources which may attempt to access or manipulate request object’s headers.
2.17.4. Credit¶
This issue was found by Natan Nehorai and reported by Or Peles from the JFrog Vulnerability Research Team.
It was also independently found by Richard Ellis and Mike Rhodes from IBM/Cloudant.