VYPR
Vendor

Couchbase

Products
10
CVEs
64
Across products
70
Status
Private

Products

10

Recent CVEs

64
View all 64 CVEs →
  • CVE-2020-24719CriNov 12, 2020
    risk 0.69cvss 9.8epss 0.23

    Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie…

  • CVE-2023-49931CriFeb 29, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.

  • CVE-2023-49930CriFeb 29, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.

  • CVE-2022-32563CriJun 10, 2022
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509…

  • CVE-2021-35943CriSep 29, 2021
    risk 0.64cvss 9.8epss 0.01

    Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.

  • CVE-2020-9039CriFeb 22, 2020
    risk 0.64cvss 9.8epss 0.04

    Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an…

  • CVE-2019-11495CriSep 10, 2019
    risk 0.64cvss 9.8epss 0.02

    In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute…

  • CVE-2022-32559CriJun 14, 2022
    risk 0.59cvss 9.1epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.

  • CVE-2019-11496CriSep 10, 2019
    risk 0.59cvss 9.1epss 0.01

    In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with…

  • CVE-2022-32562HigJun 13, 2022
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission.

  • CVE-2020-9042HigJun 8, 2020
    risk 0.57cvss 8.8epss 0.01

    In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request.

  • CVE-2018-15728HigAug 24, 2018
    risk 0.57cvss 8.8epss 0.03

    Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be…

  • CVE-2023-50437HigFeb 29, 2024
    risk 0.56cvss 8.6epss 0.01

    An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and engageCluster2.

  • CVE-2022-42951HigFeb 6, 2023
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can…

  • CVE-2021-43963HigDec 7, 2021
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these…

  • CVE-2025-46619HigApr 30, 2025
    risk 0.49cvss 7.6epss 0.00

    A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or…

  • CVE-2023-43768HigMar 27, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands.

  • CVE-2024-23302HigFeb 29, 2024
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.

  • CVE-2023-49338HigFeb 28, 2024
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.

  • CVE-2023-36667HigNov 8, 2023
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.