CVE-2020-1955 — CRITICAL (9.8)

Vulnerability Description

CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called `require_valid_user_except_for_up`. It was meant as an extension to the long standing setting `require_valid_user`, which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests. The new `require_valid_user_except_for_up` is an off-by-default setting that was meant to allow requiring valid credentials for all endpoints except for the `/_up` endpoint. However, the implementation of this made an error that lead to not enforcing credentials on any endpoint, when enabled. CouchDB versions 3.0.1[1] and 3.1.0[2] fix this issue.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Couchdb	3.0.0

Related Weaknesses (CWE)

CWE-306

References

https://docs.couchdb.org/en/master/cve/2020-1955.htmlMitigationVendor Advisory
https://docs.couchdb.org/en/master/cve/2020-1955.htmlMitigationVendor Advisory

FAQ

What is CVE-2020-1955?

CVE-2020-1955 is a vulnerability with a CVSS score of 9.8 (CRITICAL). CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called `require_valid_user_except_for_up`. It was meant as an extension to the ...

How severe is CVE-2020-1955?

CVE-2020-1955 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-1955?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Couchdb.