CVE | Synopsis | Impact (CVSS) | Products | Affects Version | Fix Version | Publish Date |
CVE-2023-49338 |
Query Service stats endpoint was accessible without authentication The Query stats endpoint did not implement correct authentication, making it possible to view the stats information |
Medium (5.3) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x, 4.x |
Server 7.2.4 | January 2024 |
CVE-2023-45873 |
User with Data Reader role could OOM kill the Data Service A user with the Data Reader privilege could kill the Data Service by sending GetKeys requesting a high number of documents, triggering a Out-of-Memory (OOM) error. |
Medium (6.5) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.6.x, 6.5.x |
Server 7.2.4 | January 2024 |
CVE-2023-45874 |
Data readers could DOS the reader threads A user with Datat Reader role could lock a Data Service reader thread for a significant time by requesting a high number of keys and potentially lock up all reader threads by issuing the same command on multiple connections |
Medium (4.3) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.6.x, 6.5.x |
Server 7.2.4 | January 2024 |
Unauthenticated RMI Service Ports Exposed in Analytics Service
Network ports 9119 and 9121 were unauthenticated RMI service ports hosted by the Analytics Service which could result in privilege escalation. |
Critical
(9.1) |
Couchbase Server
|
Server
7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x |
Server 7.2.4
|
January 2024
|
|
CVE-2023-50437 |
otpCookie was shown to a user with a Full Admin role on the Cluster Manager's API endpoints serverGroups and engageCluster2 The cluster's otpCookie was leaked to users with Full Admin role on API endpoint serverGroups and both Cluster Admin and Full Admin on API endpoint engageCluster2. This could be used to elevate privileges |
High (8.6) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x, 4.x, 3.x, 2.x |
Server 7.2.4 | January 2024 |
CVE-2023-49931 |
SQL++ cURL calls to /diag/eval were not sufficiently restricted Calling cURL via SQL++ (N1QL) using the Query Service to the localhost's /diag/eval endpoint weren't fully prevented. |
High (8.6) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x |
Server 7.2.4 | January 2024 |
CVE-2023-49932 |
SQL++ N1QL cURL host restrictions implementation issue The SQL++ (N1QL) cURL allowlist protection in the Query Service, wasn't sufficient in preventing accessing restricted hosts. |
Medium (5.3) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x |
Server 7.2.4 | January 2024 |
CVE-2023-49930 |
Eventing SQL++ cURL calls to /diag/eval were not sufficiently restricted Calling cURL via SQL++ (N1QL) via the Eventing Service to the local host's /diag/eval endpoint weren't fully prevented. |
High (8.6) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.5.x |
Server 7.2.4 | January 2024 |
CVE-2023-50436 |
The internal Full Admin user for cluster management credentials leaked to log file A logging event caused the internal @ns_server admin credentials to be leaked in encoded form in diag.log. |
Low (2.1) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.6, 7.1.5 |
Server 7.2.4 | January 2024 |
CVE-2024-23302 |
TLS Private key leaked in XDCR log file The private key used for Cross Datacenter Replication (XDCR) was leaked in the goxdcr.log |
Low (2.1) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x, 4.5.x |
Server 7.2.4 | January 2024 |
CVE-2023-38545 |
Upgrade cURL to 8.4.0 The flaw in curl makes it overflow a heap based buffer in the SOCKS5 proxy handshake. |
Critical (9.8) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.6.x, 6.5.x |
Server 7.2.4 | January 2024 |
CVE-2023-5678 |
Upgrade to OpenSSL 3.1.4 Applications that use the functions DH_generate_key() to generate an X9.42 DH key and applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. |
Medium (5.3) |
Couchbase Server | Server 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.1.x, 7.0.x, 6.x, 5.x, 4.x, 3.x, 2.x |
Server 7.2.4 | January 2024 |
Comments
0 comments
Article is closed for comments.