VYPR
High severity7.2NVD Advisory· Published Nov 14, 2017· Updated Jun 17, 2026

CVE-2017-12636

CVE-2017-12636

Description

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

10
  • Apache/Couchdb7 versions
    cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*range: <1.7.0
    • cpe:2.3:a:apache:couchdb:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:couchdb:2.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:apache:couchdb:2.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:apache:couchdb:2.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:apache:couchdb:2.0.0:rc4:*:*:*:*:*:*
    • (no CPE)range: <1.7.0, <2.1.1
  • osv-coords2 versions
    < 1.7.2-2.8.2+ 1 more
    • (no CPE)range: < 1.7.2-2.8.2
    • (no CPE)range: < 1.7.2-2.8.2
  • Apache Software Foundation/Apache CouchDBv5
    Range: 1.2.0 to 1.6.1

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.