Vendor CVEs
Couchbase
All CVEs
64 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49932 | Med | 0.35 | 5.4 | 0.01 | Feb 29, 2024 | An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL host restrictions. | ||
| CVE-2023-28470 | Med | 0.35 | 5.3 | 0.01 | Mar 23, 2023 | In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication. | ||
| CVE-2022-33911 | Med | 0.35 | 5.3 | 0.01 | Jul 12, 2022 | An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information. | ||
| CVE-2019-11466 | Med | 0.35 | 5.3 | 0.01 | Sep 10, 2019 | In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access. | ||
| CVE-2019-11465 | Med | 0.35 | 5.3 | 0.01 | Sep 10, 2019 | An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged… | ||
| CVE-2023-50436 | Med | 0.34 | 5.3 | 0.00 | Feb 29, 2024 | An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in encoded form in the diag.log file. The earliest affected version is 7.1.5. | ||
| CVE-2022-42950 | Med | 0.32 | 4.9 | 0.01 | Feb 6, 2023 | An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of… | ||
| CVE-2022-32561 | Med | 0.32 | 4.9 | 0.01 | Jun 14, 2022 | An issue was discovered in Couchbase Server before 6.6.5 and 7.x before 7.0.4. Previous mitigations for CVE-2018-15728 were found to be insufficient when it was discovered that diagnostic endpoints could still be accessed from the network. | ||
| CVE-2021-33504 | Med | 0.32 | 4.9 | 0.01 | Jun 2, 2022 | Couchbase Server before 7.1.0 has Incorrect Access Control. | ||
| CVE-2021-25643 | Med | 0.32 | 4.9 | 0.01 | May 26, 2021 | An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth, leak credentials in cleartext in the indexer.log file when they make a /listCreateTokens,… | ||
| CVE-2021-27925 | Med | 0.29 | 4.4 | 0.01 | May 19, 2021 | An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a crash condition can (depending on a race condition) cause an internal user with administrator privileges, @ns_server, to have its credentials leaked… | ||
| CVE-2021-25645 | Med | 0.29 | 4.4 | 0.00 | May 10, 2021 | An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and… | ||
| CVE-2023-45874 | Med | 0.28 | 4.3 | 0.01 | Feb 29, 2024 | An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (outage of reader threads). | ||
| CVE-2025-49015 | Med | 0.25 | 4.9 | 0.00 | Jun 18, 2025 | The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default. |
- risk 0.35cvss 5.4epss 0.01
An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL host restrictions.
- risk 0.35cvss 5.3epss 0.01
In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. An Unauthorized Actor may be able to obtain Sensitive Information.
- risk 0.35cvss 5.3epss 0.01
In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now requires valid credentials to access.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged…
- risk 0.34cvss 5.3epss 0.00
An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in encoded form in the diag.log file. The earliest affected version is 7.1.5.
- risk 0.32cvss 4.9epss 0.01
An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator account to the Couchbase Server Backup Service can exhaust memory resources, causing the process to be killed, which can be used for denial of…
- risk 0.32cvss 4.9epss 0.01
An issue was discovered in Couchbase Server before 6.6.5 and 7.x before 7.0.4. Previous mitigations for CVE-2018-15728 were found to be insufficient when it was discovered that diagnostic endpoints could still be accessed from the network.
- risk 0.32cvss 4.9epss 0.01
Couchbase Server before 7.1.0 has Incorrect Access Control.
- risk 0.32cvss 4.9epss 0.01
An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth, leak credentials in cleartext in the indexer.log file when they make a /listCreateTokens,…
- risk 0.29cvss 4.4epss 0.01
An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a crash condition can (depending on a race condition) cause an internal user with administrator privileges, @ns_server, to have its credentials leaked…
- risk 0.29cvss 4.4epss 0.00
An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and…
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (outage of reader threads).
- risk 0.25cvss 4.9epss 0.00
The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.
Page 2 of 2