Candidate: CVE-2017-12636
PublicDate: 2017-11-14 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12636
 http://www.openwall.com/lists/oss-security/2017/11/14/6
 https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
Description:
 CouchDB administrative users can configure the database server via HTTP(S).
 Some of the configuration options include paths for operating system-level
 binaries that are subsequently launched by CouchDB. This allows an admin
 user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute
 arbitrary shell commands as the CouchDB user, including downloading and
 executing scripts from the public internet.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [7.2 HIGH]


Patches_couchdb:
upstream_couchdb: released (1.7.0)
precise/esm_couchdb: DNE
trusty_couchdb: ignored (reached end-of-life)
trusty/esm_couchdb: DNE (trusty was needed)
xenial_couchdb: ignored (end of standard support, was needed)
zesty_couchdb: ignored (reached end-of-life)
artful_couchdb: ignored (reached end-of-life)
bionic_couchdb: DNE
cosmic_couchdb: DNE
disco_couchdb: DNE
eoan_couchdb: DNE
focal_couchdb: DNE
groovy_couchdb: DNE
hirsute_couchdb: DNE
impish_couchdb: DNE
jammy_couchdb: DNE
devel_couchdb: DNE