Apache CouchDB JSON Remote Privilege Escalation (Dec 8, 2017)

Apache CouchDB is open source database software that focuses on ease of use and having a scalable architecture. It has a document-oriented NoSQL database architecture and is implemented in the concurrency-oriented language Erlang; it uses JSON to store data, JavaScript as its query language using MapReduce, and HTTP for an API.

A privilege escalation vulnerability exists in CouchDB. The vulnerability is due to a discrepancy in the behaviours of the JavaScript JSON parser, used in design documents, and the Jiffy JSON parser, used within the CouchDB Erlang-based internals. Allowing an attacker to bypass the user access control.

Read More…