Unrated severityNVD Advisory· Published May 2, 2023· Updated Oct 15, 2024
Apache CouchDB, IBM Cloudant: Information sharing via couchjs processes
CVE-2023-26268
Description
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update
- list
- filter
- filter views (using view functions as filters)
- rewrite
- update
This doesn't affect map/reduce or search (Dreyfus) index functions.
Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3).
Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4- Apache Software Foundation/Apache CouchDBv5Range: 0
- Apache Software Foundation/IBM Cloudantv5Range: 0
Patches
Vulnerability mechanics
References
3- lists.apache.org/thread/ldkqs0nhpmho26bdxf4fon7w75hsq5glmitrevendor-advisory
- lists.apache.org/thread/r2wvjfysg3d92lhhjd1qh3wfr8mlp0ppmitrevendor-advisory
- docs.couchdb.org/en/stable/cve/2023-26268.htmlmitrerelease-notes
News mentions
0No linked articles in our index yet.