In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
Fixes

Solution

No solution given by the vendor.


Workaround

CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of `monster`. Installations that upgrade to this versions are forced to choose a different value. In addition, all binary packages have been updated to bind `epmd` as well as the CouchDB distribution port to `127.0.0.1` and/or `::1` respectively.

History

Wed, 29 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2022-08-25'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-07-30T01:37:42.786Z

Reserved: 2022-02-10T00:00:00.000Z

Link: CVE-2022-24706

cve-icon Vulnrichment

Updated: 2024-08-03T04:20:50.213Z

cve-icon NVD

Status : Analyzed

Published: 2022-04-26T10:15:35.083

Modified: 2025-03-06T19:48:51.880

Link: CVE-2022-24706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.