[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-38295 Apache CouchDB <= 3.1.1 privilege escalation
From:       Jan Lehnardt <jan () apache ! org>
Date:       2021-10-12 8:56:13
Message-ID: A2600194-3759-4165-A437-9BCAE3F97429 () apache ! org
[Download RAW message or body]

Description
===========

A malicious user with permission to create documents in a
database is able to attach a HTML attachment to a document.
If a CouchDB admin opens that attachment in a browser, e.g.
via the CouchDB admin interface Fauxton, any JavaScript code
embedded in that HTML attachment will be executed within the
security context of that admin. A similar route is available
with thealready deprecated `_show` and `_list` functionality.

This *privilege escalation* vulnerability allows an attacker
to add or remove data in any database or make configuration
changes.

Mitigation
==========

CouchDB 3.2.0  and onwards adds `Content-Security-Policy`
headers for all attachment, `_show` and `_list` requests.
This breaks certain niche use-cases and there are
configuration options to restore the previous behaviour for
those who need it.

CouchDB 3.1.2 defaults to the previous behaviour, but adds
configuration options to turn `Content-Security-Policy` headers
on for all affected requests.
[prev in list] [next in list] [prev in thread] [next in thread]