Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <A2600194-3759-4165-A437-9BCAE3F97429@apache.org>
Date: Tue, 12 Oct 2021 10:56:13 +0200
From: Jan Lehnardt <jan@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-38295 Apache CouchDB <= 3.1.1 privilege escalation 

Description
===========

A malicious user with permission to create documents in a
database is able to attach a HTML attachment to a document.
If a CouchDB admin opens that attachment in a browser, e.g.
via the CouchDB admin interface Fauxton, any JavaScript code
embedded in that HTML attachment will be executed within the
security context of that admin. A similar route is available
with thealready deprecated `_show` and `_list` functionality.

This *privilege escalation* vulnerability allows an attacker
to add or remove data in any database or make configuration
changes.

Mitigation
==========

CouchDB 3.2.0  and onwards adds `Content-Security-Policy`
headers for all attachment, `_show` and `_list` requests.
This breaks certain niche use-cases and there are
configuration options to restore the previous behaviour for
those who need it.

CouchDB 3.1.2 defaults to the previous behaviour, but adds
configuration options to turn `Content-Security-Policy` headers
on for all affected requests.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.