{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aapachecouchdb2.0.0rc3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*","cpe:2.3:a:apache:couchdb:2.0.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:couchdb:2.0.0:rc1:*:*:*:*:*:*","cpe:2.3:a:apache:couchdb:2.0.0:rc2:*:*:*:*:*:*","cpe:2.3:a:apache:couchdb:2.0.0:rc3:*:*:*:*:*:*","cpe:2.3:a:apache:couchdb:2.0.0:rc4:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2017-12635"},{"cvss":7.2,"id":"CVE-2017-12636"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CouchDB 1.6.0"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","remote-code-execution","couchdb","CVE-2017-12635","CVE-2017-12636"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eA public exploit has surfaced detailing a critical vulnerability in Apache CouchDB version 1.6.0. This exploit leverages CVE-2017-12635, an improper privilege management flaw, enabling an attacker to gain administrative privileges. By exploiting inconsistent handling of duplicate JSON \u003ccode\u003eroles\u003c/code\u003e keys, a malicious actor can create a new user with administrator rights. This privilege escalation serves as a stepping stone to CVE-2017-12636, which allows remote code execution by modifying CouchDB\u0026rsquo;s configuration via the HTTP API. The vulnerability is triggered when CouchDB versions prior to 1.7.1 process design functions that declare a \u0026ldquo;language\u0026rdquo; field. Successful exploitation can lead to complete system compromise as the attacker gains the ability to execute arbitrary commands on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker probes the target CouchDB instance, identifying version 1.6.0 running on port 5984.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2017-12635 by sending a crafted HTTP PUT request to the \u003ccode\u003e/_users\u003c/code\u003e endpoint with a JSON payload containing duplicate \u0026ldquo;roles\u0026rdquo; keys. The first \u0026ldquo;roles\u0026rdquo; key grants admin privileges, while the second bypasses validation.\u003c/li\u003e\n\u003cli\u003eA new user account, such as \u0026ldquo;hacker\u0026rdquo;, is created with administrative privileges due to the vulnerability in JSON parsing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the CouchDB instance using the newly created admin account.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2017-12636 by sending an HTTP PUT request to the \u003ccode\u003e/_config/query_servers/cmd\u003c/code\u003e endpoint, setting the value to an OS command (e.g., \u0026ldquo;id 1\u0026gt;/tmp/pwned 2\u0026gt;\u0026amp;1\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new database (e.g., \u0026ldquo;rcetest\u0026rdquo;) and a design document with a view using the \u0026ldquo;cmd\u0026rdquo; language.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the view by sending an HTTP GET request to the \u003ccode\u003e/rcetest/_design/rce/_view/myview\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eCouchDB executes the configured OS command under the privileges of the CouchDB process (couchdb user), achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain full control of the CouchDB instance. This includes the ability to read, modify, and delete sensitive data stored within the databases. Furthermore, by leveraging remote code execution (CVE-2017-12636), attackers can execute arbitrary commands on the server with the privileges of the CouchDB process. While the exploit described in the source material shows code execution with the privileges of the \u0026ldquo;couchdb\u0026rdquo; user (uid=1000), it remains sufficient to achieve Remote Code Execution within the boundaries of the service permissions and further compromise the host system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Apache CouchDB to a secure version (≥ 1.7.1 or ≥ 2.1.1, recommended version 3.x) to patch CVE-2017-12635 and CVE-2017-12636.\u003c/li\u003e\n\u003cli\u003eConfigure \u003ccode\u003erequire_valid_user = true\u003c/code\u003e in the \u003ccode\u003elocal.ini\u003c/code\u003e configuration file to block all anonymous API access, mitigating CVE-2017-12635.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to port 5984 (CouchDB HTTP API) to only trusted IPs.\u003c/li\u003e\n\u003cli\u003eUse \u003ccode\u003econfig_whitelist\u003c/code\u003e in the \u003ccode\u003elocal.ini\u003c/code\u003e file to restrict which configuration keys can be modified via the API, preventing attackers from leveraging the \u003ccode\u003e/_config/query_servers\u003c/code\u003e endpoint to inject OS commands, addressing CVE-2017-12636.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T20:02:07Z","date_published":"2026-05-29T20:02:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-couchdb-privesc-rce/","summary":"A public exploit demonstrates improper privilege management in Apache CouchDB (CVE-2017-12635) leading to privilege escalation, which can be combined with CVE-2017-12636 for remote code execution by modifying server configurations via the HTTP API.","title":"Apache CouchDB Improper Privilege Management Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-couchdb-privesc-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:apache:couchdb:2.0.0:rc3:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}