Server
by Couchbase
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-42951 | Hig | 0.53 | 8.1 | 0.01 | Feb 6, 2023 | An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can… | ||
| CVE-2024-23302 | Hig | 0.49 | 7.5 | 0.01 | Feb 29, 2024 | Couchbase Server before 7.2.4 has a private key leak in goxdcr.log. | ||
| CVE-2023-45875 | Hig | 0.49 | 7.5 | 0.01 | Nov 8, 2023 | An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster. | ||
| CVE-2021-42763 | Hig | 0.49 | 7.5 | 0.01 | Nov 2, 2021 | Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included… | ||
| CVE-2021-35945 | Hig | 0.49 | 7.5 | 0.01 | Sep 29, 2021 | Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached. | ||
| CVE-2021-35944 | Hig | 0.49 | 7.5 | 0.01 | Sep 29, 2021 | Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached. | ||
| CVE-2019-11467 | Hig | 0.49 | 7.5 | 0.01 | Sep 10, 2019 | In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain certain characters like \t, <, >, it caused buffer overrun as encoded string would be much larger than accounted for, causing indexer service… | ||
| CVE-2024-25673 | Med | 0.40 | 6.1 | 0.00 | Sep 19, 2024 | Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection. | ||
| CVE-2024-37034 | Med | 0.38 | 5.9 | 0.00 | Jul 26, 2024 | An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure. | ||
| CVE-2023-28470 | Med | 0.35 | 5.3 | 0.01 | Mar 23, 2023 | In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication. | ||
| CVE-2019-11466 | Med | 0.35 | 5.3 | 0.01 | Sep 10, 2019 | In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access. | ||
| CVE-2023-50436 | Med | 0.34 | 5.3 | 0.00 | Feb 29, 2024 | An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in encoded form in the diag.log file. The earliest affected version is 7.1.5. | ||
| CVE-2021-25643 | Med | 0.32 | 4.9 | 0.01 | May 26, 2021 | An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth, leak credentials in cleartext in the indexer.log file when they make a /listCreateTokens,… | ||
| CVE-2021-27925 | Med | 0.29 | 4.4 | 0.01 | May 19, 2021 | An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a crash condition can (depending on a race condition) cause an internal user with administrator privileges, @ns_server, to have its credentials leaked… | ||
| CVE-2021-25645 | Med | 0.29 | 4.4 | 0.00 | May 10, 2021 | An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and… |
- risk 0.53cvss 8.1epss 0.01
An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can…
- risk 0.49cvss 7.5epss 0.01
Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included…
- risk 0.49cvss 7.5epss 0.01
Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.
- risk 0.49cvss 7.5epss 0.01
In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain certain characters like \t, <, >, it caused buffer overrun as encoded string would be much larger than accounted for, causing indexer service…
- risk 0.40cvss 6.1epss 0.00
Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.
- risk 0.38cvss 5.9epss 0.00
An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure.
- risk 0.35cvss 5.3epss 0.01
In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication.
- risk 0.35cvss 5.3epss 0.01
In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access.
- risk 0.34cvss 5.3epss 0.00
An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in encoded form in the diag.log file. The earliest affected version is 7.1.5.
- risk 0.32cvss 4.9epss 0.01
An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth, leak credentials in cleartext in the indexer.log file when they make a /listCreateTokens,…
- risk 0.29cvss 4.4epss 0.01
An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a crash condition can (depending on a race condition) cause an internal user with administrator privileges, @ns_server, to have its credentials leaked…
- risk 0.29cvss 4.4epss 0.00
An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and…