Couchbase Alerts

This page lists critical alerts and advisories for Couchbase.

Enterprise Security Alerts

CVE Synopsis Impact (CVSS) Products Affects Version Fix Version Publish Date

CVE-2023-49338

Query Service stats endpoint was accessible without authentication.

The Query stats endpoint did not implement correct authentication, making it possible to view the stats information.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.4

January 2024

CVE-2023-45873

User with Data Reader role could OOM kill the Data Service.

A user with the Data Reader privilege could kill the Data Service by sending GetKeys requesting a high number of documents, triggering a Out-of-Memory (OOM) error.

Medium
(6.5)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-45874

Data readers could DOS the reader threads.

A user with Data Reader role could lock a Data Service reader thread for a significant time by requesting a high number of keys and potentially lock up all reader threads by issuing the same command on multiple connections.

Medium
(4.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-43769

Unauthenticated RMI Service Ports Exposed in Analytics Service.

Network ports 9119 and 9121 were unauthenticated RMI service ports hosted by the Analytics Service which could result in privilege escalation.

Critical
(9.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x

Server
7.2.4

January 2024

CVE-2023-50437

otpCookie was shown to a user with a Full Admin role on the Cluster Manager's API endpoints serverGroups and engageCluster2.

The cluster's otpCookie was leaked to users with Full Admin role on API endpoint serverGroups and both Cluster Admin and Full Admin on API endpoint engageCluster2. This could be used to elevate privileges.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.4

January 2024

CVE-2023-49931

SQL++ cURL calls to /diag/eval were not sufficiently restricted.

Calling cURL via SQL++ (N1QL) using the Query Service to the localhost's /diag/eval endpoint wasn't fully prevented.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x

Server
7.2.4

January 2024

CVE-2023-49932

SQL++ N1QL cURL host restrictions implementation issue.

The SQL++ (N1QL) cURL allowlist protection in the Query Service, wasn't sufficient in preventing accessing restricted hosts.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x

Server
7.2.4

January 2024

CVE-2023-49930

Eventing SQL++ cURL calls to /diag/eval were not sufficiently restricted.

Calling cURL via SQL++ (N1QL) via the Eventing Service to the local host's /diag/eval endpoint wasn't fully prevented.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-50436

The internal Full Admin user for cluster management credentials leaked to log file.

A logging event caused the internal @ns_server admin credentials to be leaked in encoded form in diag.log.

Low
(2.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.6,
7.1.5

Server
7.2.4

January 2024

CVE-2024-23302

TLS Private key leaked in XDCR log file.

The private key used for Cross Datacenter Replication (XDCR) was leaked in the goxdcr.log.

Low
(2.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.5.x

Server
7.2.4

January 2024

CVE-2023-38545

Upgrade cURL to 8.4.0.

The flaw in curl makes it overflow a heap based buffer in the SOCKS5 proxy handshake.

Critical
(9.8)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-5678

Upgrade to OpenSSL 3.1.4.

Applications that use the functions DH_generate_key() to generate an X9.42 DH key and applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.4

January 2024

CVE-2023-44487

Upgrade gRPC to v1.58.3.

The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly.

High
(7.5)

Couchbase Server

Server
7.2.2,
7.2.1,
7.2.0,
7.1.5,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.3,
7.1.6

November 2023