Vendor CVEs
Couchbase
All CVEs
64 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-24719 | Cri | 0.69 | 9.8 | 0.23 | Nov 12, 2020 | Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie… | ||
| CVE-2023-49931 | Cri | 0.64 | 9.8 | 0.01 | Feb 29, 2024 | An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted. | ||
| CVE-2023-49930 | Cri | 0.64 | 9.8 | 0.01 | Feb 29, 2024 | An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted. | ||
| CVE-2022-32563 | Cri | 0.64 | 9.8 | 0.01 | Jun 10, 2022 | An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509… | ||
| CVE-2021-35943 | Cri | 0.64 | 9.8 | 0.01 | Sep 29, 2021 | Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513. | ||
| CVE-2020-9039 | Cri | 0.64 | 9.8 | 0.04 | Feb 22, 2020 | Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an… | ||
| CVE-2019-11495 | Cri | 0.64 | 9.8 | 0.02 | Sep 10, 2019 | In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute… | ||
| CVE-2022-32559 | Cri | 0.59 | 9.1 | 0.01 | Jun 14, 2022 | An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics. | ||
| CVE-2019-11496 | Cri | 0.59 | 9.1 | 0.01 | Sep 10, 2019 | In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with… | ||
| CVE-2022-32562 | Hig | 0.57 | 8.8 | 0.01 | Jun 13, 2022 | An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission. | ||
| CVE-2020-9042 | Hig | 0.57 | 8.8 | 0.01 | Jun 8, 2020 | In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request. | ||
| CVE-2018-15728 | Hig | 0.57 | 8.8 | 0.03 | Aug 24, 2018 | Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be… | ||
| CVE-2023-50437 | Hig | 0.56 | 8.6 | 0.01 | Feb 29, 2024 | An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and engageCluster2. | ||
| CVE-2022-42951 | Hig | 0.53 | 8.1 | 0.01 | Feb 6, 2023 | An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can… | ||
| CVE-2021-43963 | Hig | 0.53 | 8.1 | 0.01 | Dec 7, 2021 | An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these… | ||
| CVE-2025-46619 | Hig | 0.49 | 7.6 | 0.00 | Apr 30, 2025 | A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or… | ||
| CVE-2023-43768 | Hig | 0.49 | 7.5 | 0.01 | Mar 27, 2024 | An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands. | ||
| CVE-2024-23302 | Hig | 0.49 | 7.5 | 0.01 | Feb 29, 2024 | Couchbase Server before 7.2.4 has a private key leak in goxdcr.log. | ||
| CVE-2023-49338 | Hig | 0.49 | 7.5 | 0.01 | Feb 28, 2024 | Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost. | ||
| CVE-2023-36667 | Hig | 0.49 | 7.5 | 0.01 | Nov 8, 2023 | Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal. | ||
| CVE-2023-45875 | Hig | 0.49 | 7.5 | 0.01 | Nov 8, 2023 | An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster. | ||
| CVE-2023-25016 | Hig | 0.49 | 7.5 | 0.00 | Feb 6, 2023 | Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor. | ||
| CVE-2022-32556 | Hig | 0.49 | 7.5 | 0.01 | Jul 21, 2022 | An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes. | ||
| CVE-2022-33173 | Hig | 0.49 | 7.5 | 0.01 | Jul 12, 2022 | An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS connection to determine the TLS port number, using SCRAM-SHA instead. | ||
| CVE-2022-32557 | Hig | 0.49 | 7.5 | 0.01 | Jun 14, 2022 | An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers. | ||
| CVE-2022-32565 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids. | ||
| CVE-2022-32192 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor. | ||
| CVE-2022-32560 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings. | ||
| CVE-2022-32558 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure. | ||
| CVE-2022-26311 | Hig | 0.49 | 7.5 | 0.01 | Mar 10, 2022 | Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to an Unauthorized Actor. Secrets are not redacted in logs collected from Kubernetes environments. | ||
| CVE-2021-42763 | Hig | 0.49 | 7.5 | 0.01 | Nov 2, 2021 | Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included… | ||
| CVE-2021-37842 | Hig | 0.49 | 7.5 | 0.01 | Nov 2, 2021 | metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has… | ||
| CVE-2021-35945 | Hig | 0.49 | 7.5 | 0.01 | Sep 29, 2021 | Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached. | ||
| CVE-2021-35944 | Hig | 0.49 | 7.5 | 0.01 | Sep 29, 2021 | Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached. | ||
| CVE-2021-25644 | Hig | 0.49 | 7.5 | 0.01 | May 19, 2021 | An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to… | ||
| CVE-2020-9041 | Hig | 0.49 | 7.5 | 0.01 | Jun 8, 2020 | In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections. | ||
| CVE-2020-9040 | Hig | 0.49 | 7.5 | 0.01 | Jun 8, 2020 | Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing… | ||
| CVE-2019-11497 | Hig | 0.49 | 7.5 | 0.01 | Sep 10, 2019 | In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the… | ||
| CVE-2019-11467 | Hig | 0.49 | 7.5 | 0.01 | Sep 10, 2019 | In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain certain characters like \t, <, >, it caused buffer overrun as encoded string would be much larger than accounted for, causing indexer service… | ||
| CVE-2024-56178 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role. | ||
| CVE-2023-45873 | Med | 0.42 | 6.5 | 0.01 | Feb 28, 2024 | An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer. | ||
| CVE-2022-32193 | Med | 0.42 | 6.5 | 0.01 | Jun 13, 2022 | Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor. | ||
| CVE-2021-31158 | Med | 0.42 | 6.5 | 0.01 | May 19, 2021 | In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access. | ||
| CVE-2023-43769 | Med | 0.41 | 6.3 | 0.00 | Feb 29, 2024 | An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Ports Exposed in Analytics. | ||
| CVE-2025-52490 | Hig | 0.40 | 7.3 | 0.00 | Jul 29, 2025 | An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output. | ||
| CVE-2024-25673 | Med | 0.40 | 6.1 | 0.00 | Sep 19, 2024 | Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection. | ||
| CVE-2019-11464 | Med | 0.40 | 6.1 | 0.01 | Sep 10, 2019 | Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for… | ||
| CVE-2024-37034 | Med | 0.38 | 5.9 | 0.00 | Jul 26, 2024 | An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure. | ||
| CVE-2022-34826 | Med | 0.38 | 5.9 | 0.01 | Jul 15, 2022 | In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs. | ||
| CVE-2021-27924 | Med | 0.38 | 5.9 | 0.01 | May 19, 2021 | An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires. |
- risk 0.69cvss 9.8epss 0.23
Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie…
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509…
- risk 0.64cvss 9.8epss 0.01
Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.
- risk 0.64cvss 9.8epss 0.04
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an…
- risk 0.64cvss 9.8epss 0.02
In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute…
- risk 0.59cvss 9.1epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.
- risk 0.59cvss 9.1epss 0.01
In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with…
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission.
- risk 0.57cvss 8.8epss 0.01
In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request.
- risk 0.57cvss 8.8epss 0.03
Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be…
- risk 0.56cvss 8.6epss 0.01
An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and engageCluster2.
- risk 0.53cvss 8.1epss 0.01
An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can…
- risk 0.53cvss 8.1epss 0.01
An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these…
- risk 0.49cvss 7.6epss 0.00
A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or…
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster.
- risk 0.49cvss 7.5epss 0.00
Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes.
- risk 0.49cvss 7.5epss 0.01
An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS connection to determine the TLS port number, using SCRAM-SHA instead.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure.
- risk 0.49cvss 7.5epss 0.01
Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to an Unauthorized Actor. Secrets are not redacted in logs collected from Kubernetes environments.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included…
- risk 0.49cvss 7.5epss 0.01
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has…
- risk 0.49cvss 7.5epss 0.01
Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to…
- risk 0.49cvss 7.5epss 0.01
In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections.
- risk 0.49cvss 7.5epss 0.01
Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing…
- risk 0.49cvss 7.5epss 0.01
In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the…
- risk 0.49cvss 7.5epss 0.01
In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain certain characters like \t, <, >, it caused buffer overrun as encoded string would be much larger than accounted for, causing indexer service…
- risk 0.42cvss 6.5epss 0.00
An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer.
- risk 0.42cvss 6.5epss 0.01
Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.
- risk 0.42cvss 6.5epss 0.01
In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access.
- risk 0.41cvss 6.3epss 0.00
An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Ports Exposed in Analytics.
- risk 0.40cvss 7.3epss 0.00
An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output.
- risk 0.40cvss 6.1epss 0.00
Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.
- risk 0.40cvss 6.1epss 0.01
Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for…
- risk 0.38cvss 5.9epss 0.00
An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure.
- risk 0.38cvss 5.9epss 0.01
In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.
- risk 0.38cvss 5.9epss 0.01
An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires.
Page 1 of 2