Vulnerabilities (CVE)

Vendor filter

Couchbase Subscribe

Product filter

Server Subscribe

Filter

9 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-9039 1 Couchbase 1 Sync Gateway 2019-10-10 7.5
In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway?s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey"...
CVE-2019-11495 1 Couchbase 1 Couchbase Server 2019-09-26 7.5
In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to...
CVE-2019-11466 1 Couchbase 2 Server, Couchbase Server 2019-09-26 5.0
In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied in version 6.0.1 and now...
CVE-2019-11497 1 Couchbase 1 Couchbase Server 2019-09-26 5.0
In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to...
CVE-2019-11467 1 Couchbase 1 Couchbase Server 2019-09-26 7.8
In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain certain characters like \t, <, >, it caused buffer overrun as encoded string would be much larger than...
CVE-2019-11464 1 Couchbase 2 Server, Couchbase Server 2019-09-26 4.3
Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally...
CVE-2018-15728 1 Couchbase 2 Server, Couchbase Server 2019-09-26 9.0
Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and...
CVE-2019-11496 1 Couchbase 1 Couchbase Server 2019-09-26 6.4
In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow...
CVE-2019-11465 1 Couchbase 1 Couchbase Server 2019-09-13 5.0
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames...