Couchbase Server
by Couchbase
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-46619 | 0.00 | — | 0.00 | Apr 30, 2025 | A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or /etc/shadow. | |||
| CVE-2024-56178 | 0.00 | — | 0.00 | Jan 27, 2025 | An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role. | |||
| CVE-2024-25673 | 0.00 | — | 0.01 | Sep 19, 2024 | Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection. | |||
| CVE-2024-37034 | 0.00 | — | 0.00 | Jul 26, 2024 | An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure. | |||
| CVE-2023-43768 | 0.00 | — | 0.01 | Mar 27, 2024 | An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands. | |||
| CVE-2023-49931 | 0.00 | — | 0.01 | Feb 28, 2024 | An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted. | |||
| CVE-2024-23302 | 0.00 | — | 0.01 | Feb 28, 2024 | Couchbase Server before 7.2.4 has a private key leak in goxdcr.log. | |||
| CVE-2022-42951 | 0.00 | — | 0.00 | Feb 6, 2023 | An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can connect to the cluster manager using default credentials. | |||
| CVE-2022-42950 | 0.00 | — | 0.01 | Feb 6, 2023 | An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service. | |||
| CVE-2022-32556 | 0.00 | — | 0.01 | Jul 21, 2022 | An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes. | |||
| CVE-2022-32559 | 0.00 | — | 0.01 | Jun 14, 2022 | An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics. | |||
| CVE-2022-32557 | 0.00 | — | 0.00 | Jun 14, 2022 | An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers. | |||
| CVE-2022-32561 | 0.00 | — | 0.00 | Jun 14, 2022 | An issue was discovered in Couchbase Server before 6.6.5 and 7.x before 7.0.4. Previous mitigations for CVE-2018-15728 were found to be insufficient when it was discovered that diagnostic endpoints could still be accessed from the network. |
- CVE-2025-46619Apr 30, 2025risk 0.00cvss —epss 0.00
A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or /etc/shadow.
- CVE-2024-56178Jan 27, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role.
- CVE-2024-25673Sep 19, 2024risk 0.00cvss —epss 0.01
Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.
- CVE-2024-37034Jul 26, 2024risk 0.00cvss —epss 0.00
An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure.
- CVE-2023-43768Mar 27, 2024risk 0.00cvss —epss 0.01
An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands.
- CVE-2023-49931Feb 28, 2024risk 0.00cvss —epss 0.01
An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.
- CVE-2024-23302Feb 28, 2024risk 0.00cvss —epss 0.01
Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.
- CVE-2022-42951Feb 6, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can connect to the cluster manager using default credentials.
- CVE-2022-42950Feb 6, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of service.
- CVE-2022-32556Jul 21, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes.
- CVE-2022-32559Jun 14, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.
- CVE-2022-32557Jun 14, 2022risk 0.00cvss —epss 0.00
An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers.
- CVE-2022-32561Jun 14, 2022risk 0.00cvss —epss 0.00
An issue was discovered in Couchbase Server before 6.6.5 and 7.x before 7.0.4. Previous mitigations for CVE-2018-15728 were found to be insufficient when it was discovered that diagnostic endpoints could still be accessed from the network.