2.16. CVE-2023-26268: Apache CouchDB: Information sharing via couchjs processes
- Date:
02.05.2023
- Affected:
3.3.1 and below, 3.2.2 and below
- Severity:
Medium
- Vendor:
The Apache Software Foundation
2.16.1. Description
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions:
validate_doc_update
list
filter
filter views (using view functions as filters)
rewrite
update
This doesn’t affect map/reduce or search (Dreyfus) index functions.
2.16.2. Mitigation
CouchDB 3.3.2 and 3.2.3 and onwards matches Javascript execution processes by database names in addition to design document IDs when processing the affected design document functions.
2.16.3. Workarounds
Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.
2.16.4. Credit
This issue was identified by Nick Vatamaniuc