Couchbase Alerts

This page lists critical alerts and advisories for Couchbase.

Enterprise Security Alerts

CVE Synopsis Impact (CVSS) Products Affects Version Fix Version Publish Date

CVE-2024-21094
CVE-2024-21011
CVE-2024-21068
CVE-2024-21012

Update JDK to 17.0.11

The vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.

Low
(3.7)

Couchbase Server

Server
7.6.1,
7.6.0,
7.2.5
7.2.4,
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x

Server
7.6.2,
7.2.6

August 2024

CVE-2016-2183
CVE-2016-6329

Cluster management ports vulnerable to SWEET32 Vulnerability.

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

High
(8.7)

Couchbase Server

Server
7.2.5,
7.2.4,
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x
4.x
3.x,
2.x

Server
7.6.0,
7.2.6

August 2024

CVE-2024-25673

Header Manipulation Vulnerability.

The Host header from an incoming HTTP request was blindly copied to the Location header.

Medium
(4.2)

Couchbase Server

Server
7.6.1,
7.6.0,
7.2.5,
7.2.4,
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.6.2,
7.2.6

August 2024

CVE-2024-37034

Credentials are negotiated with KV using SCRAM-SHA when remote link encryption is configured for HALF.

SDK will negotiate with SCRAM-SHA by default which allows for a MITM to negotiate for PLAIN credentials.

Medium
(5.9)

Couchbase Server

Server
7.6.0,
7.2.4,
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x

Server
7.6.1,
7.2.5

July 2024

CVE-2024-0519

Upgrade v8 to 12.1.285.26.

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

High
(8.8)

Couchbase Server

Server
7.2.4,
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.6.2,
7.2.5

July 2024

CVE-2023-50782

Upgrade pyca/cryptography to 42.0.5.

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

High
(7.5)

Couchbase Server

Server
7.6.1,
7.6.0

Server
7.6.2,
7.2.5

July 2024

CVE-2023-49338

Query Service stats endpoint was accessible without authentication.

The Query stats endpoint did not implement correct authentication, making it possible to view the stats information.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.4

January 2024

CVE-2023-45873

User with Data Reader role could OOM kill the Data Service.

A user with the Data Reader privilege could kill the Data Service by sending GetKeys requesting a high number of documents, triggering a Out-of-Memory (OOM) error.

Medium
(6.5)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-45874

Data readers could DOS the reader threads.

A user with Data Reader role could lock a Data Service reader thread for a significant time by requesting a high number of keys and potentially lock up all reader threads by issuing the same command on multiple connections.

Medium
(4.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-43769

Unauthenticated RMI Service Ports Exposed in Analytics Service.

Network ports 9119 and 9121 were unauthenticated RMI service ports hosted by the Analytics Service which could result in privilege escalation.

Critical
(9.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x

Server
7.2.4

January 2024

CVE-2023-50437

otpCookie was shown to a user with a Full Admin role on the Cluster Manager's API endpoints serverGroups and engageCluster2.

The cluster's otpCookie was leaked to users with Full Admin role on API endpoint serverGroups and both Cluster Admin and Full Admin on API endpoint engageCluster2. This could be used to elevate privileges.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.4

January 2024

CVE-2023-49931

SQL++ cURL calls to /diag/eval were not sufficiently restricted.

Calling cURL via SQL++ (N1QL) using the Query Service to the localhost's /diag/eval endpoint wasn't fully prevented.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x

Server
7.2.4

January 2024

CVE-2023-49932

SQL++ N1QL cURL host restrictions implementation issue.

The SQL++ (N1QL) cURL allowlist protection in the Query Service, wasn't sufficient in preventing accessing restricted hosts.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x

Server
7.2.4

January 2024

CVE-2023-49930

Eventing SQL++ cURL calls to /diag/eval were not sufficiently restricted.

Calling cURL via SQL++ (N1QL) via the Eventing Service to the local host's /diag/eval endpoint wasn't fully prevented.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-50436

The internal Full Admin user for cluster management credentials leaked to log file.

A logging event caused the internal @ns_server admin credentials to be leaked in encoded form in diag.log.

Low
(2.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.6,
7.1.5

Server
7.2.4

January 2024

CVE-2024-23302

TLS Private key leaked in XDCR log file.

The private key used for Cross Datacenter Replication (XDCR) was leaked in the goxdcr.log.

Low
(2.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.5.x

Server
7.2.4

January 2024

CVE-2023-38545

Upgrade cURL to 8.4.0.

The flaw in curl makes it overflow a heap based buffer in the SOCKS5 proxy handshake.

Critical
(9.8)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-5678

Upgrade to OpenSSL 3.1.4.

Applications that use the functions DH_generate_key() to generate an X9.42 DH key and applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.4

January 2024

CVE-2023-44487

Upgrade gRPC to v1.58.3.

The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly.

High
(7.5)

Couchbase Server

Server
7.2.2,
7.2.1,
7.2.0,
7.1.5,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.3,
7.1.6

November 2023

CVE-2023-44487

Upgrade Golang to 1.20.10.

The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly.

High
(7.5)

Couchbase Server

Server
7.2.2,
7.2.1,
7.2.0,
7.1.5,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.3,
7.1.6

November 2023

CVE-2023-0464

Upgrade to OpenSSL 1.1.1u.

A vulnerability in OpenSSL related to the verification of X.509 certificate chains that include policy constraints., which would allow attackers to be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

High
(7.5)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.1,
7.1.5

November 2023

CVE-2022-41723

Update of GoLang to 1.19.9.

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

High
(7.5)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.1,
7.1.5

November 2023

CVE-2023-3079

CVE-2023-2033

Update V8 to 11.4.185.1.

Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

High
(8.0)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.1,
7.1.5

November 2023

CVE-2023-21930

CVE-2023-21954

CVE-2023-21967

CVE-2023-21939

CVE-2023-21938

CVE-2023-21937

CVE-2023-21968

Update OpenJDK to 11.0.19.

Update OpenJDK to versions 11.0.19 to resolve numerous CVEs.

High
(7.4)

Couchbase Server

Server
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.6.x

Server
7.1.5

November 2023

CVE-2023-36667

Windows traversal security issue.

The Couchbase Server Windows UI allows an attacker to traverse the filesystem and display files that Couchbase has access to. This vulnerability doesn't require any authentication. It's exploitable with just appending folders/files to the Couchbase Server admin UI's URL.

High
(7.5)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.1,
7.1.5

November 2023

CVE-2023-43768

Unauthenticated users may cause memcached to run out of memory.

A malicious user may easily crash a memcached server by connecting to the server and start sending large commands.

High
(7.5)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.6.x

Server
7.2.1,
7.1.5

November 2023

CVE-2023-45875

Private key leak in debug.log while adding pre-7.0 node to 7.2 cluster.

The private key is leaked to debug.log when adding a pre-7.0 node to 7.2 cluster.

Medium
(4.4)

Couchbase Server

Server
7.2.0

Server
7.2.1

November 2023

CVE-2022-41881

CVE-2022-41915

Update Netty to 4.1.86.Final or higher.

In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion.

Low
(2.2)

Couchbase Server

Server
6.6.6,
7.0.5,
7.1.3

Server
7.2.0,
7.1.4

May 2023

CVE-2023-28470

Full Text Search (FTS) nsstats endpoint is accessible without authentication.

The FTS stats endpoint at /api/nsstats does not implement correct authentication, so it is possible to view the names of Couchbase Server buckets, the names of FTS indexes and configuration of FTS indexes without authentication. The contents of the buckets and indexes are not exposed.

Medium
(5.3)

Couchbase Server

Server
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.6.x

Server
7.1.4

March 2023

CVE-2023-25016

Credentials can be leaked to the logs if there is a crash during a node join.

During a node join failure, unredacted credentials of the user making the REST request can be leaked into the log files.

Medium
(6.3)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.x,
3.x,
2.x

Server
7.1.2,
7.0.5,
6.6.6

January 2023

CVE-2022-42951

Couchbase Cluster Manager lacks access controls during a cluster node restart.

During the start of a couchbase server node there is a short time period where the security cookie is set to "nocookie" which lacks access controls over the Erlang distribution protocol. If an attacker connects to this protocol during this period, they can execute arbitrary code remotely on any cluster node at any point of time until their connection is dropped. The executed code will be running with the same privileges as the Couchbase Server.

Critical
(9.8)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server
7.1.2,
7.0.5,
6.6.6

January 2023

CVE-2022-42004

CVE-2022-42003

Update of Jackson Databind to 2.13.4.2+ as used in the Analytics Service to resolve vulnerabilities.

A resource exhaustion of the Couchbase Analytics Service can occur because of a lack of a check to prevent use of deeply nested arrays.

High
(7.5)

Couchbase Server

Server
7.1.2,
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1
6.6.0
6.5.x,
6.0.x,
5.x,
4.x

Server
7.1.3,
7.0.5,
6.6.6

January 2023

CVE-2022-42950

A crafted HTTP request to REST API can cause a backup service OOM.

An extremely large (or unbounded) HTTP request body may cause the backup service to cause an OOM (out-of-memory) error.

Medium
(4.9)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0

Server
7.1.2,
7.0.5

January 2023

CVE-2022-1096

Update of V8 Javascript Engine to 10.7.x.

The v8 Javascript engine as used in the Couchbase Server Eventing Service, View Engine, XDCR and N1QL UDFs has been updated as there's a type confusion in versions prior to 99.0.4844.84 which allowed a remote attacker to potentially exploit heap corruption via a crafted request.

High
(8.8)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.1.2,
7.0.5

January 2023

CVE-2021-41561

Update of Apache Parquet to 1.12.3.

An attacker can use Parquet files, as optionally used by the Couchbase Analytics Service, to cause a Denial of Service (DoS) if malicious files contain improper values in the file page header (e.g. negative values where positive value is expected). This is resolved by updating the Apache Parquet library to a later version.

High
(7.5)

Couchbase Server

Server
7.1.1,
7.1.0

Server
7.1.2

November 2022

CVE-2022-37026

Upgrade of Erlang to version 24.3.4.4.

When using the tls/ssl feature in couchbase server, it is possible to bypass client authentication in certain situations. Specifically, any application using the ssl/tls/dtls server, and the client certification option "{verify, verify_peer}" are affected by this vulnerability. Corrections have been released on the supported tracks with patches 23.3.4.15, 24.3.4.2, and 25.0.2 of the erlang/OTP runtime. Only clusters using certificate-based authentication are affected.

Critical
(9.8)

Couchbase Server

Server
7.1.1,
7.1.0

Server
7.1.2

November 2022

CVE-2022-32556

Private key is leaked to the log files with certain crashes.

Certain rare crashes might cause the private key of the generated certificate to be leaked to the log files.

Medium
(6.3)

Couchbase Server

Server
7.1.0,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.x,
3.x

Server
7.1.1,
7.0.4,
6.6.6

July 2022

CVE-2022-24675

CVE-2022-23772

CVE-2022-24921

Update of GoLang to a minimum of 1.17.9 or 1.18.1.

Updated Go Programming Language and associated libraries used in multiple Couchbase Server services to versions 1.17.9+ or 1.18.1+ to resolve numerous CVEs.

High
(7.5)

Couchbase Server

Server
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5x,
6.0.x,
5.x,
4.x

Server
7.1.1,
7.0.5,
6.6.6

July 2022

CVE-2020-36518

Update of jackson-databind library to version 2.13.2.2.

jackson-databind, before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. This library is used by the Couchbase Server Analytics Service

Medium
(6.5)

Couchbase Server

Server
7.1.0,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x

Server
7.1.1,
7.0.4,
6.6.6

July 2022

CVE-2022-1292

Update of openssl to 1.1.1o.

Updated openssl to fix a flaw in an openssl component, c_rehash. This script scans directories and takes a hash value of each .pem and .crt file in the directory. It then creates symbolic links for each of the files named by the hash value. It has a flaw that allows command injection in the script.

Critical
(9.8)

Couchbase Server

Server
7.1.0,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server
7.1.1,
7.0.4,
6.6.6

July 2022

CVE-2022-34826

Encrypted Private Key passphrase may be leaked in the logs.

In Couchbase Server 7.1.0 and later it's possible to provide a passphrase to Couchbase Server to unlock an encrypted TLS private key. This passphrase was found to be leaked in the log files as a Base64 encoded string when one of the Couchbase services, other than the Data Service, was starting up. This affects the Index Service, Query Service, Analytics Service, Backup Service and Eventing Service if the optional encrypted TLS keys feature is used. Note, an attacker needs to have access to the logs as well as the private key to be able to perform attacks such as performing a man in the middle attack or decrypting network communication. Using operating system protections to restrict access to these files can be an effective mitigation strategy.

Medium
(4.4)

Couchbase Server

Server
7.1.0

Server
7.1.1

July 2022

CVE-2021-42581

Updating ramda, a client-side javascript library to version 0.28 as used in the Couchbase Server UI.

Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "{}proto{}") as an argument to the function, known as prototype pollution. Prototype pollution type attacks allow bypassing input validation and triggering unexpected javascript execution.

Critical
(9.1)

Couchbase Server

Server
7.1.0,
7.0.x

Server
7.1.1

July 2022

CVE-2021-44906

Update of js-beautify to 1.14.3, a client-side javascript library used in the Couchbase Server UI.

js-beautify has a dependency with a known vulnerability, Minimist. Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). Prototype pollution attacks allow bypassing input validation and triggering unexpected javascript execution.

Critical
(9.8)

Couchbase Server

Server
7.1.0,
7.0.x

Server
7.1.1

July 2022

CVE-2022-33911

Field names are not redacted in logged validation messages for Analytics Service.

When creating secondary indexes with the Couchbase Server Analytics Service, there are some validations on the indexed fields which are reported to the user and logged. The error message with code ASX0013 is used in multiple paths to report and log that there is a duplicate field name. The field names in these logged validation messages are not redacted. Also errors with the code ASX1079 has field names which are not redacted.

Low
(1.8)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server
7.0.4,
6.6.6

June 2022

CVE-2022-33173

Analytics Remote Links may temporarily downgrade to non-TLS connection to determine TLS port.

On failure to establish TLS connection for an Analytics Remote Link configured with encryption=full, the runtime would attempt to discover the (non-default) TLS port by attempting a non-TLS connection to the remote cluster, using SCRAM-SHA for authentication. While credentials are not shared when SCRAM-SHA, it may not be expected that the system would downgrade the prescribed encryption level which specified a TLS connection. This fallback mechanism has been removed, and in a failure to initially establish a TLS connection, the CONNECT LINK will simply fail until the correct TLS port is provided as part of the link configuration.

Low
(2.0)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0

Server
7.0.4,
6.6.6

June 2022

CVE-2022-32565

Backup Service log leaks unredacted usernames and doc ids.

If the backup service fails to log an audit message, it leaks the audit log data into the backup_service.log which isn't redacted.

Low
(1.8)

Couchbase Server

Server
7.0.x

Server
7.1.0

June 2022

CVE-2020-14040

Update golang.org/x/text package to 0.3.4 or later.

The golang.org/x/text/encoding/unicode package which could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory.

High
(7.5)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x

Server
7.0.4,
6.6.6

June 2022

CVE-2022-32192

couchbase-cli leaks Secrets Management master password as a command-line argument.

The couchbase-cli spawns a very short-lived erlang process that has the master password as a process argument, this means that if anyone gets the process list at that time they will have the master password. This only affects Couchbase Server clusters utilizing the Secrets Management feature.

Medium
(5.5)
 

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x

Server
7.0.4,
6.6.6

June 2022

CVE-2022-32562

Operations may succeed on collection using stale RBAC permission.

If an RBAC role contains a collection-level permission (e.g., query_select[src:_default:Collection1]) and the collection name is deleted and re-created in the bucket, the collection-level permission will still be valid. This allows the user with the role to access the collection even though their permission should have been removed when the collection was deleted.

High
(8.8)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0

Server
7.0.4

June 2022

CVE-2022-32560

XDCR - lacks role checking when changing internal settings.

In affected versions of Couchbase Server, XDCR internal settings can be modified without any authentication.

Medium
(4.0)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.x,
5.x,
4.x

Server
7.0.4

June 2022

CVE-2022-32564

couchbase-cli: server-eshell leaks the Cluster Manager cookie.

In affected versions of Couchbase Server, the Erlang "cookie" is passed via a command-line argument to 'erl' when using the 'server-eshell' command; this leaked the "cookie" to all who could read the 'couchbase-cli' process arguments. The cookie should remain secret as it can be used to perform administrative tasks in the cluster.

High
(7.8)

Couchbase Server

Server
7.0.3,
7.0.2,
7.1.0,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.x,
3.x,
2.x,
1.x

Server
7.0.4,
6.6.6

June 2022

CVE-2021-3737

Python updated to 3.9.12 to address a denial of service issue.
A flaw was found in Python. An improperly handled HTTP response in the HTTP client code of Python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. This issue only affects clusters using the developer preview feature, Analytics UDFs.

High
(7.5)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0

Server
7.0.4

June 2022

CVE-2022-32558

Sample bucket loading may leak internal user passwords during a failure.

A failure while loading a sample bucket (beer-sample, gamesim-sample, travel-sample) may leak the password for the internal @ns_server admin user into the logs (debug.log, error.log, info.log, reports.log). The @ns_server account can be used to perform administrative actions.

Medium
(6.4)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0

Server
7.0.4,
6.6.6

June 2022

CVE-2022-32193

Private key may be logged during a crash of the Cluster Manager component of Couchbase Server.

While performing cluster node additions, a crash of the Cluster Manager (ns_server) may lead to the private key getting leaked into the log files. Someone who has access to the log files may be able to decrypt secure network connections to the cluster. If TLS is used the credentials of users and applications that login into the cluster may be acquired.

Medium
(6.3)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0

Server
7.0.4,
6.6.6

June 2022

CVE-2022-32561

Previous mitigations for CVE-2018-15728 were found to be insufficient when it was discovered that diagnostic endpoints could still be accessed from the network.

Diagnostic endpoints such as diag/eval are restricted and can only be executed from the loopback network. However, the checks put in place to address CVE-2018-15728 do not correctly check if a “X-Forwarded-For” header contains a loopback address. This header can be manipulated to workaround the loopback restriction.

The vulnerability is limited to requests originating from private network and shared address spaces, per RFC6890.

To be able to successfully issue requests to these endpoints a user requires full administrative privileges, regardless of “X-Forwarded-For” header used.

A workaround for this issue is to firewall requests to the Couchbase Server nodes that contain “X-Forwarded-For” headers in environments where they are not required.

Recognition: Mucahit Karadag / PRODAFT

High
(8.8)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x

Server
6.6.5,
7.0.4

June 2022

CVE-2022-32557

Index Service does not enforce authentication for TCP/TLS servers.

The Index Service runs several network processes, Queryport, Dataport and Adminport. These are used to communicate with other Couchbase services. These processes take part in node to node communication, but do not communicate directly with SDK applications. In the affected versions of Couchbase Server, these network processes do not enforce authentication, so will process requests sent by unauthenticated users.

Queryport server can respond to an unauthenticated user with index scan results.

Dataport server can allow unauthenticated user to modify indexed data.

Adminport server can allow unauthenticated user to perform DDL operations (like Create and Drop index).

Possible workaround: As these ports are used only for internal communication by Couchbase Server, any connections/communication with non-Couchbase Server nodes and processes can be disabled at the network layer.

High
(8.2)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.x,
5.x,
4.x

Server
7.0.4

June 2022

CVE-2022-32559

Random http requests lead to leaked metrics.

Unauthenticated users can make a REST API call to the cluster manager. Each http request that has not been seen before by the cluster manager leads to a creation of a new metric. Each new metric takes some memory and some disk space, which can create a memory leak and disk space leak. If enough resources are used, it could cause a Couchbase Server node to fail.

High
(7.5)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0

Server
7.0.4

June 2022

CVE-2022-32563

Admin credentials not verified when using X.509 client cert authentication from Sync Gateway to Couchbase Server.

When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue.

Workaround: Replace X.509 certificate based authentication with Username and Password authentication inside the bootstrap configuration.

Critical
(9.8)

Couchbase Sync Gateway

Couchbase Sync Gateway:
3.0.0,
3.0.1

3.0.2

June 2022

CVE-2021-33504

Untrusted node addition can be manipulated in order to harvest a cluster secret.

Administrators adding an untrusted node to a cluster could inadvertently risk transmitting the cluster cookie which should remain secret.

This can be addressed by deploying TLS encryption with Certificate Authority signed certificates. When using TLS, a trusted certificate is required to be present on the incoming node from Couchbase Server version 7.1.0.

Recognition: Ofir Hamam, security researcher at EY Israel’s Advanced Security Center

High
(7.6)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.1.0

May 2022

CVE-2022-26311

Secrets not redacted in logs collected from Kubernetes environments.

Couchbase Operator 2.2.0 introduced an optimization that simplified log collection. When logs are collected, the support tool – "cbopinfo" – is used to collect Kubernetes resources necessary to gain insight into intended resource state, and current resource status. Prior to the affected versions, secret data was redacted, however this functionality was not retained in the new collection method. As a result, logs would have erroneously contained any passwords, tokens, and private keys within the scope of the log collection. By default, this scope will be limited to the Kubernetes namespace in which the Couchbase Server cluster under inspection resides. The exception to this is if the --system flag was specified, in which case all secrets on the platform will have been exposed. Logs are used to identify and remediate customer issues, and therefore only customers that have supplied logs, with the specified tool versions, are affected. Couchbase will ensure that all affected logs which have been provided are redacted.

High
(7.2)

Couchbase Cloud Native Operator

2.2.0,
2.2.1,
2.2.2

2.2.3

March 2022

CVE-2021-44228

Update of Apache Log4J to 2.15.0

A critical issue in the Apache Log4J utility as used by the Couchbase Analytics Service requires updating to prevent potential Remote Code Execution (RCE) and sensitive data extraction.

Critical
(10)

Couchbase Server

Server
7.0.2,
7.0.1,
7.0.0,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x

Server
7.0.3,
6.6.4

December 2021

CVE-2021-43963

Sync Gateway insecurely stores Couchbase Server bucket credentials

The bucket credentials used by Sync Gateway to read and write data in Couchbase Server was insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these credentials to obtain write access. This issue does not affect clusters where Sync Gateway is authenticated with x.509 client certificates. This issue also does not affect clusters where shared bucket access is not enabled on Sync Gateway.

Medium
(6.5)

Couchbase Sync Gateway

Sync Gateway
2.8.2,
2.8.1,
2.8.0,
2.7.x

Sync Gateway 2.8.3

October 2021

CVE-2021-37842

Logs not redacting XDCR remoteCluster credentials

Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it.

High
(7.6)

Couchbase Server

Server
7.0.1,
7.0.0

Server
7.0.2

October 2021

CVE-2021-42763

Credentials exposed in crash error log from a backtrace

As part of a cbcollect_info log collection, Couchbase Server collects the process info of all the processes running in the Erlang VM. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench, etc.) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request. For the issue to occur, the process info has to be triggered at the exact moment when a pluggable UI request is being serviced by the cluster manager.

High
(8.8)

Couchbase Server

Sever
7.0.1,
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.5.x

Server
6.6.3,
7.0.2

October 2021

CVE-2021-33503

Update of the Python urllib3 to 1.26.5 or higher

An issue was discovered in urllib3 before 1.26.5, as used by Couchbase Server command line tools. When these tools are provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service of the command line tool if a URL were passed as a parameter or redirected to via an HTTP redirect.

High
(7.5)

Couchbase Server

Server
7.0.1,
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x

Server
6.6.3,
7.0.2

October 2021

CVE-2020-36242

Update of the Python cryptography package to 3.3.2

In the cryptography package before 3.3.2 for Python, as used by the Couchbase Server command line tools, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow in that tool.

Critical
(9.1)

Couchbase Server

Sever
7.0.1,
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.5.x

Server
6.6.3,
7.0.2

October 2021

CVE-2021-35944

A specially crafted network packet sent from an attacker can crash memcached

This can cause unavailability of the Data Service. It is recommended to use a firewall to only allow network traffic from your applications to communicate with the Couchbase Server cluster.

High
(8.2)

Couchbase Server

Server
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server
6.6.3,
7.0.1

September 2021

CVE-2021-35945

A specially crafted network packet sent from an attacker can crash memcached

This can cause unavailability of the Data Service. It is recommended to use a firewall to only allow network traffic from your applications to communicate with the Couchbase Server cluster.

High
(8.2)

Couchbase Server

Server
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.6.x,
4.5.x

Server
6.6.3,
7.0.1

September 2021

CVE-2021-35943

Externally managed users are not prevented from using an empty password, per RFC4513

If an LDAP or Active Directory server, used for external authentication, is configured to allow insecure unauthenticated binds, the Couchbase Server Cluster Manager will allow an external user to be authenticated with an empty password.

LDAP servers can be configured to fail Unauthenticated Bind requests with a resultCode of “unwillingToPerform” to prevent this occurring.

Critical               
(9.8)

Couchbase Server

Server 
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server 6.6.3

August 2021

CVE-2021-23840

CVE-2021-3450

CVE-2021-3449

Update OpenSSL to version 1.1.1k

Multiple security issues resolved in OpenSSL, one of which could cause the TLS server to crash if sent a maliciously crafted renegotiation ClientHello message from a client.

Medium / High
(5.9,
7.4,
7.5)

Couchbase Server

Server
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server 6.6.3

August 2021

CVE-2019-10768

Update AngularJS to 1.8.0

Issue in Angular as used by the Couchbase UI that can cause a denial of service by modifying the merge() function.

High
(7.5)

Couchbase Server

Server
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.6.x,
4.5.x

Server 6.6.3

August 2021

CVE-2021-31158

N1QL Common Table Expressions (CTEs) handled access control incorrectly.

Common Table Expression N1QL queries did not correctly honor RBAC security controls, giving read-access to users that did not have the required authorization.

Medium
(6.5)

Couchbase Server

Server
6.6.1,
6.6.0,
6.5.2,
6.5.1,
6.5.0

Server 6.6.2

February 2020

CVE-2019-14863

FTS UI to upgrade to angular 1.6.9

The Full Text Seach user interface uses AngularJS 1.4.7 for which some known high severity security vulnerabilities exist. These AngularJS libraries have been updated to a more recent version of Angular which has addressed these vulnerabilities.

High
(7.4)

Couchbase Server

6.0.2,
5.5.5

6.5.0

January 2020

CVE-2020-9040

Up until core-io 1.7.11 (and as a result Java SDK 2.7.11), hostname verification on TLS/SSL connections is not enabled and can be a security risk in certain environments

Java 6 (JDK 1.6 - the older SDK baseline version) did not support hostname verification out of the box. Once the SDK moved to Java 7 (Java 1.7) as the baseline, adding support was possible. This happened in jvm-core 1.7.11 (which translates to java-client 2.7.11). It is not possible in earlier versions to manually add it as a workaround, because the facilities to customize it accordingly are not exposed. Note that in order to not break applications that rely on the old behavior, hostname verification is still disabled by default, but can be enabled in the SDK configuration (CouchbaseEnvironment class).

High
(7.5)

Couchbase Java SDK
Couchbase Spark Connector
Couchbase Kafka Connector
(Connectors depending on Java SDK or Core-IO)

1.7.10,
1.6.0,
1.5.0,
1.4.0,
1.3.0,
1.2.0,
1.1.0,
1.0.0

2.7.11

April 2019

CVE-2020-9039

Projector and indexer REST endpoints did not require authentication

The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.

Recognition: Apple Security team

High
(7.6)

Couchbase Server

5.5.1,
5.5.0,
5.0.1,
5.0.0,
4.6.x,
4.5.x,
4.1.x,
4.0.x

6.5.0
6.0.0
5.5.2
5.1.2

September 2018

CVE-2020-9042

Couchbase Server returns a WWW-Authenticate response to unauthenticated requests

The Server REST API responds with a {{WWW-Authenticate}} header to unauthenticated requests which allows the user to authenticate via a user / password dialog in a web browser. The problem is that these credentials are cached by the browser which allows a hacker to use CSRF to attack a cluster in the event that an administrator has used their browser to check the results of a REST API request. This behavior can be disabled by using couchbase-cli (couchbase-cli setting-security --set --disable-www-authenticate 1 -c localhost:8091 -u <username> -p <password>). This is not disabled by default as it might break existing tools or scripts.

Recognition: Apple Security Team

Medium
(6.3)

Couchbase Server

6.0.0

6.5.1

April 2020

CVE-2019-11464

Port 8092 misses X-XSS protection header

Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and X-XSS-Protection, which are more generally applicable to HTML endpoint, to be included too. These headers are now included in responses from the Couchbase Server Views REST API (port 8092).

Medium
(5.4)

Couchbase Server

5.5.0
5.1.2

6.0.2

March 2019

CVE-2019-9039

Prevent N1QL injection in Sync Gateway via _all_docs startkey, endkey

An attacker with access to the Sync Gateway's public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for Couchbase Mobile replication, and external access to this REST endpoint has been blocked to mitigate this issue.

Recognition: Denis Werner/HiSolutions AG

High
(7.6)

Couchbase Sync Gateway

2.1.2

2.5.0
2.1.3

February 2019

CVE-2019-11466

Eventing debug endpoint must enforce authentication.

The eventing service exposes a system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied and now requires valid credentials to access.

High
(7.1)

Couchbase Server

6.0.0
5.5.0

6.0.1

December 2018

CVE-2019-11465

Memcached "connections" stat block command emits non-redacted username

The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy.

This has been fixed so that usernames are tagged properly in the logs and are hashed out when the logs are redacted.

Medium
(6.5)

Couchbase Server

6.0.0,
5.5.3,
5.5.2,
5.5.1,
5.5.0

6.0.1
5.5.4

January 2019

CVE-2018-15728

The /diag/eval endpoint is not locked down to localhost.

Couchbase Server exposed the '/diag/eval' endpoint, which, by default, is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase.

Recognition: Apple Security Team

High
(8.8)

Couchbase Server

5.5.1,
5.5.0,
5.1.1,
5.0.1,
5.0.0,
4.6.5,
4.5.1,
4.1.2,
4.0.0

6.0.0
5.5.2

October 2018

CVE-2019-11495

Erlang cookie uses a weak random seed.

The cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute code against a remote system.

Recognition:  Apple Security team

High
(7.9)

Couchbase Server

5.1.1

6.0.0

September 2018

CVE-2019-11467

JSON doc with >3k '\t' chars crashes indexer.

Secondary indexing encodes the entries to be indexed using collatejson. When index entries contained certain characters like \t, <, >, it caused a buffer overrun as the encoded string would be much larger than accounted for, causing the indexer service to crash and restart. This has been remedied now to ensure the buffer always grows as needed for any input.

Recognition:  D-Trust GmbH

Medium
(5.8)

Couchbase Server

5.5.0,
4.6.3

5.1.2,
5.5.2

August 2018

CVE-2019-11497

XDCR does not validate a remote cluster certificate.

When an invalid remote cluster certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the remote cluster. This has been fixed. XDCR now checks the validity of the certificate thoroughly and prevents a remote cluster reference from being created with an invalid certificate.

High
(7.5)

Couchbase Server

5.0.0

5.5.0

June 2018

CVE-2019-11496

Editing bucket settings in Couchbase Server allows authentication without credentials.

In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with sufficient authorization. However, users were allowed unauthenticated and unauthorized access to the "default" bucket if the properties of this bucket were edited. This has been fixed.

High
(8.7)

Couchbase Server

5.0.0

5.1.0
5.5.0

December 2017