src/docs/src/cve/2021-38295.rst
.. Licensed under the Apache License, Version 2.0 (the "License"); you may not .. use this file except in compliance with the License. You may obtain a copy of .. the License at .. .. http://www.apache.org/licenses/LICENSE-2.0 .. .. Unless required by applicable law or agreed to in writing, software .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the .. License for the specific language governing permissions and limitations under .. the License.
.. _cve/2021-38295:
:Date: 12.10.2021
:Affected: 3.1.1 and below
:Severity: Low
:Vendor: The Apache Software Foundation
A malicious user with permission to create documents in a database is able
to attach a HTML attachment to a document. If a CouchDB admin opens that
attachment in a browser, e.g. via the CouchDB admin interface Fauxton,
any JavaScript code embedded in that HTML attachment will be executed within
the security context of that admin. A similar route is available with the
already deprecated _show and _list functionality.
This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes.
CouchDB :ref:3.2.0 <release/3.2.0> and onwards adds Content-Security-Policy
headers for all attachment, _show and _list requests. This breaks certain
niche use-cases and there are configuration options to restore the previous
behaviour for those who need it.
CouchDB :ref:3.1.2 <release/3.1.2> defaults to the previous behaviour, but
adds configuration options to turn Content-Security-Policy headers on for
all affected requests.
This issue was identified by Cory Sabol_ of Secure Ideas_.
.. _Secure Ideas: https://secureideas.com/ .. _Cory Sabol: mailto:[email protected]