=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN539

_____________________________________________________________________

DATE                : 13/12/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache CouchDB versionsup to and
                including 3.3.2, IBM Cloudant versions prior to 8413.

=====================================================================
https://lists.apache.org/thread/pqjq9zt8vq9rsobkc1cow9sqm9vozlrg
_____________________________________________________________________


CVE-2023-45725: Apache CouchDB, IBM Cloudant: Privilege Escalation
Using _design Documents


Severity: moderate

Affected versions:

- Apache CouchDB through 3.3.2
- IBM Cloudant before 8413


Description:

Design document functions which receive a user http request object
may expose authorization or session cookie headers of the user who
accesses the document.

These design document functions are:
   *    list
   *    show
   *    rewrite
   *    update

An attacker can leak the session component using an HTML-like output,
insert the session as an external resource (such as an image), or
store the credential in a _local document with an "update" function.

For the attack to succeed the attacker has to be able to insert the
design documents into the database, then manipulate a user to access
a function from that design document.

Workaround: Avoid using design documents from untrusted sources
which may attempt to access or manipulate request object's headers


Credit:

Natan Nehorai from the JFrog Vulnerability Research Team (finder)
Or Peles from the JFrog Vulnerability Research Team (reporter)
Richard Ellis from IBM/Cloudant Team (finder)
Mike Rhodes from IBM/Cloudant Team (finder)


References:

https://docs.couchdb.org/en/stable/cve/2023-45725.html
https://couchdb.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-45725



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================