As part of our commitment to providing world class Enterprise Software and Support for our customers, at Couchbase we're dedicated to ensuring that you can maintain a secure deployment at all times. In addition to our public facing pages on Security, this article documents all recent security alerts which you may wish to take action on and plan to upgrade to mitigate. This table contains all recent entries from the full list maintained on our Security Alerts page.
CVE | Synopsis | Impact (CVSS) | Products | Affects Version | Fix Version | Publish Date |
CVE-2023-44487 | Upgrade gRRPC to v1.58.3 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly |
High (7.5) |
Couchbase Server |
Server 7.2.2, 7.2.1 7.2.0, 7.1.5, 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.x 5.x, 4.x |
Server 7.2.3, 7.1.6 |
November 2023 |
CVE-2023-44487 | Upgrade Golang to 1.20.10 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly |
High (7.5) |
Couchbase Server |
Server 7.2.2, 7.2.1 7.2.0, 7.1.5, 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.x 5.x, 4.x |
Server 7.2.3, 7.1.6 |
November 2023 |
Upgrade to OpenSSL 1.1.1u A vulnerability in OpenSSL related to the verification of X.509 certificate chains that include policy constraints., which would allow attackers to be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. |
High
(7.5) |
Couchbase Server
|
Server
7.2.0, 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.x 5.x, 4.x, 3.x, 2.x |
Server
7.2.1, 7.1.5 |
November 2023
|
|
Update of GoLang to 1.19.9 A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
|
High
(7.5) |
Couchbase Server
|
Server
7.2.0, 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.x 5.x, 4.x |
Server
7.2.1, 7.1.5 |
November 2023
|
|
Update V8 to 11.4.185.1 Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
High
(8.0) |
Couchbase Server
|
Server
7.2.0, 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.x 5.x, 4.x, 3.x, 2.x |
Server
7.2.1, 7.1.5 |
November 2023
|
|
CVE-2023-21930 CVE-2023-21954 CVE-2023-21967 CVE-2023-21939 CVE-2023-21938 CVE-2023-21937 CVE-2023-21968 | Update OpenJDK to 11.0.19 Update OpenJDK to versions 11.0.19 to resolve numerous CVEs |
High (7.4) |
Couchbase Server |
Server 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.6.x |
Server 7.1.5 |
November 2023 |
CVE-2023-36667 | Windows traversal security issue Windows UI allows an attacker to traverse the filesystem and display files that Couchbase has access to. This vulnerability doesn't require any authentication. It's exploitabe with just appending folders/files to the Couchbase Server admin UI's URL. |
High (7.5) |
Couchbase Server |
Server 7.2.0, 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.x 5.x, 4.x, 3.x, 2.x |
Server 7.2.1, 7.1.5 |
November 2023 |
CVE-2023-43768 | Unauthenticated users may cause memcached to run out of memory A malicious user may easily crash a memcached server by connecting to the server and start sending large commands. |
High (7.5) |
Couchbase Server |
Server 7.2.0, 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.6.x |
Server 7.2.1, 7.1.5 |
November 2023 |
CVE-2023-45875 | Private key leak in debug.log while adding pre-7.0 node to 7.2 cluster The private key is leaked to debug.log when adding a pre-7.0 node to 7.2 cluster |
Medium (4.4) |
Couchbase Server |
Server 7.2.0 |
Server 7.2.1 |
November 2023 |
Comments
0 comments
Article is closed for comments.