VYPR

Vendor CVEs

Couchbase

All CVEs

64 total · sorted by risk
  • CVE-2020-24719CriNov 12, 2020
    risk 0.69cvss 9.8epss 0.23

    Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie…

  • CVE-2023-49931CriFeb 29, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.

  • CVE-2023-49930CriFeb 29, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.

  • CVE-2022-32563CriJun 10, 2022
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509…

  • CVE-2021-35943CriSep 29, 2021
    risk 0.64cvss 9.8epss 0.01

    Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.

  • CVE-2020-9039CriFeb 22, 2020
    risk 0.64cvss 9.8epss 0.04

    Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an…

  • CVE-2019-11495CriSep 10, 2019
    risk 0.64cvss 9.8epss 0.02

    In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute…

  • CVE-2022-32559CriJun 14, 2022
    risk 0.59cvss 9.1epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.

  • CVE-2019-11496CriSep 10, 2019
    risk 0.59cvss 9.1epss 0.01

    In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with…

  • CVE-2022-32562HigJun 13, 2022
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission.

  • CVE-2020-9042HigJun 8, 2020
    risk 0.57cvss 8.8epss 0.01

    In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request.

  • CVE-2018-15728HigAug 24, 2018
    risk 0.57cvss 8.8epss 0.03

    Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be…

  • CVE-2023-50437HigFeb 29, 2024
    risk 0.56cvss 8.6epss 0.01

    An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and engageCluster2.

  • CVE-2022-42951HigFeb 6, 2023
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can…

  • CVE-2021-43963HigDec 7, 2021
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these…

  • CVE-2025-46619HigApr 30, 2025
    risk 0.49cvss 7.6epss 0.00

    A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or…

  • CVE-2023-43768HigMar 27, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands.

  • CVE-2024-23302HigFeb 29, 2024
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.

  • CVE-2023-49338HigFeb 28, 2024
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.

  • CVE-2023-36667HigNov 8, 2023
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.

  • CVE-2023-45875HigNov 8, 2023
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster.

  • CVE-2023-25016HigFeb 6, 2023
    risk 0.49cvss 7.5epss 0.00

    Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor.

  • CVE-2022-32556HigJul 21, 2022
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes.

  • CVE-2022-33173HigJul 12, 2022
    risk 0.49cvss 7.5epss 0.01

    An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS connection to determine the TLS port number, using SCRAM-SHA instead.

  • CVE-2022-32557HigJun 14, 2022
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers.

  • CVE-2022-32565HigJun 13, 2022
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids.

  • CVE-2022-32192HigJun 13, 2022
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.

  • CVE-2022-32560HigJun 13, 2022
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings.

  • CVE-2022-32558HigJun 13, 2022
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure.

  • CVE-2022-26311HigMar 10, 2022
    risk 0.49cvss 7.5epss 0.01

    Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to an Unauthorized Actor. Secrets are not redacted in logs collected from Kubernetes environments.

  • CVE-2021-42763HigNov 2, 2021
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included…

  • CVE-2021-37842HigNov 2, 2021
    risk 0.49cvss 7.5epss 0.01

    metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has…

  • CVE-2021-35945HigSep 29, 2021
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.

  • CVE-2021-35944HigSep 29, 2021
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.

  • CVE-2021-25644HigMay 19, 2021
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in leaked authentication information being stored in cleartext in the debug.log and info.log files, and is also shown in the UI visible to…

  • CVE-2020-9041HigJun 8, 2020
    risk 0.49cvss 7.5epss 0.01

    In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections.

  • CVE-2020-9040HigJun 8, 2020
    risk 0.49cvss 7.5epss 0.01

    Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing…

  • CVE-2019-11497HigSep 10, 2019
    risk 0.49cvss 7.5epss 0.01

    In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the…

  • CVE-2019-11467HigSep 10, 2019
    risk 0.49cvss 7.5epss 0.01

    In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain certain characters like \t, <, >, it caused buffer overrun as encoded string would be much larger than accounted for, causing indexer service…

  • CVE-2024-56178MedJan 27, 2025
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role.

  • CVE-2023-45873MedFeb 28, 2024
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer.

  • CVE-2022-32193MedJun 13, 2022
    risk 0.42cvss 6.5epss 0.01

    Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.

  • CVE-2021-31158MedMay 19, 2021
    risk 0.42cvss 6.5epss 0.01

    In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the user's permissions, allowing read-access to resources beyond what those users were explicitly allowed to access.

  • CVE-2023-43769MedFeb 29, 2024
    risk 0.41cvss 6.3epss 0.00

    An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Ports Exposed in Analytics.

  • CVE-2025-52490HigJul 29, 2025
    risk 0.40cvss 7.3epss 0.00

    An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output.

  • CVE-2024-25673MedSep 19, 2024
    risk 0.40cvss 6.1epss 0.00

    Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.

  • CVE-2019-11464MedSep 10, 2019
    risk 0.40cvss 6.1epss 0.01

    Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for…

  • CVE-2024-37034MedJul 26, 2024
    risk 0.38cvss 5.9epss 0.00

    An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure.

  • CVE-2022-34826MedJul 15, 2022
    risk 0.38cvss 5.9epss 0.01

    In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.

  • CVE-2021-27924MedMay 19, 2021
    risk 0.38cvss 5.9epss 0.01

    An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires.

Page 1 of 2