CVE-2022-24706 — Remote Code Execution Vulnerability in Packaging

Description

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

How to fix CVE-2022-24706

To remediate CVE-2022-24706, upgrade the affected package to a fixed version below.

—upgrade to 3.2.2 or later

Is CVE-2022-24706 being exploited?

Yes — CVE-2022-24706 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

from 0, < 3.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (12)

WEBpacketstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html
WEBpacketstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html
WEBdocs.couchdb.org/en/3.2.2/setup/cluster.html
WEBlists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00