Couchbase Server
by Couchbase
CVEs (45)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-32557 | Hig | 0.49 | 7.5 | 0.01 | Jun 14, 2022 | An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers. | ||
| CVE-2022-32565 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids. | ||
| CVE-2022-32192 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor. | ||
| CVE-2022-32560 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings. | ||
| CVE-2022-32558 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure. | ||
| CVE-2021-37842 | Hig | 0.49 | 7.5 | 0.01 | Nov 2, 2021 | metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has… | ||
| CVE-2021-25644 | Hig | 0.49 | 7.5 | 0.01 | May 19, 2021 | An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to… | ||
| CVE-2020-9041 | Hig | 0.49 | 7.5 | 0.01 | Jun 8, 2020 | In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections. | ||
| CVE-2019-11497 | Hig | 0.49 | 7.5 | 0.01 | Sep 10, 2019 | In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the… | ||
| CVE-2024-56178 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role. | ||
| CVE-2023-45873 | Med | 0.42 | 6.5 | 0.01 | Feb 28, 2024 | An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer. | ||
| CVE-2022-32193 | Med | 0.42 | 6.5 | 0.01 | Jun 13, 2022 | Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor. | ||
| CVE-2021-31158 | Med | 0.42 | 6.5 | 0.01 | May 19, 2021 | In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access. | ||
| CVE-2023-43769 | Med | 0.41 | 6.3 | 0.00 | Feb 29, 2024 | An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Ports Exposed in Analytics. | ||
| CVE-2024-25673 | Med | 0.40 | 6.1 | 0.00 | Sep 19, 2024 | Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection. | ||
| CVE-2019-11464 | Med | 0.40 | 6.1 | 0.01 | Sep 10, 2019 | Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for… | ||
| CVE-2022-34826 | Med | 0.38 | 5.9 | 0.01 | Jul 15, 2022 | In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs. | ||
| CVE-2021-27924 | Med | 0.38 | 5.9 | 0.01 | May 19, 2021 | An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires. | ||
| CVE-2023-49932 | Med | 0.35 | 5.4 | 0.01 | Feb 29, 2024 | An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL host restrictions. | ||
| CVE-2022-33911 | Med | 0.35 | 5.3 | 0.01 | Jul 12, 2022 | An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information. |
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure.
- risk 0.49cvss 7.5epss 0.01
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has…
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to…
- risk 0.49cvss 7.5epss 0.01
In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections.
- risk 0.49cvss 7.5epss 0.01
In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the…
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer.
- risk 0.42cvss 6.5epss 0.01
Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.
- risk 0.42cvss 6.5epss 0.01
In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access.
- risk 0.41cvss 6.3epss 0.00
An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Ports Exposed in Analytics.
- risk 0.40cvss 6.1epss 0.00
Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.
- risk 0.40cvss 6.1epss 0.01
Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for…
- risk 0.38cvss 5.9epss 0.01
In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.
- risk 0.38cvss 5.9epss 0.01
An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires.
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL host restrictions.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information.
Page 2 of 3