CVE-2017-12636

high Apache
CVSS v3 Base Score
7.2
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score
93.8%
Exploitation probability in 30 days
Top 0% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Published: November 14, 2017 (3103 days ago)
Last Modified: May 13, 2026
Vendor: Apache
Source: NVD

Description

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

CWE

CWE-78

Affected Products

apache couchdb

References

🔗 lists.apache.org 🔗 lists.debian.org 🔗 security.gentoo.org 🔗 support.hpe.com 🔗 www.exploit-db.com