Couchbase Alerts

This page lists critical alerts and advisories for Couchbase.

Enterprise Security Alerts

CVE Synopsis Impact (CVSS) Products Affects Version Fix Version Publish Date

CVE-2023-49338

Query Service stats endpoint was accessible without authentication.

The Query stats endpoint did not implement correct authentication, making it possible to view the stats information.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.4

January 2024

CVE-2023-45873

User with Data Reader role could OOM kill the Data Service.

A user with the Data Reader privilege could kill the Data Service by sending GetKeys requesting a high number of documents, triggering a Out-of-Memory (OOM) error.

Medium
(6.5)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-45874

Data readers could DOS the reader threads.

A user with Data Reader role could lock a Data Service reader thread for a significant time by requesting a high number of keys and potentially lock up all reader threads by issuing the same command on multiple connections.

Medium
(4.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-43769

Unauthenticated RMI Service Ports Exposed in Analytics Service.

Network ports 9119 and 9121 were unauthenticated RMI service ports hosted by the Analytics Service which could result in privilege escalation.

Critical
(9.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x

Server
7.2.4

January 2024

CVE-2023-50437

otpCookie was shown to a user with a Full Admin role on the Cluster Manager's API endpoints serverGroups and engageCluster2.

The cluster's otpCookie was leaked to users with Full Admin role on API endpoint serverGroups and both Cluster Admin and Full Admin on API endpoint engageCluster2. This could be used to elevate privileges.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.4

January 2024

CVE-2023-49931

SQL++ cURL calls to /diag/eval were not sufficiently restricted.

Calling cURL via SQL++ (N1QL) using the Query Service to the localhost's /diag/eval endpoint wasn't fully prevented.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x

Server
7.2.4

January 2024

CVE-2023-49932

SQL++ N1QL cURL host restrictions implementation issue.

The SQL++ (N1QL) cURL allowlist protection in the Query Service, wasn't sufficient in preventing accessing restricted hosts.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x

Server
7.2.4

January 2024

CVE-2023-49930

Eventing SQL++ cURL calls to /diag/eval were not sufficiently restricted.

Calling cURL via SQL++ (N1QL) via the Eventing Service to the local host's /diag/eval endpoint wasn't fully prevented.

High
(8.6)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-50436

The internal Full Admin user for cluster management credentials leaked to log file.

A logging event caused the internal @ns_server admin credentials to be leaked in encoded form in diag.log.

Low
(2.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.6,
7.1.5

Server
7.2.4

January 2024

CVE-2024-23302

TLS Private key leaked in XDCR log file.

The private key used for Cross Datacenter Replication (XDCR) was leaked in the goxdcr.log.

Low
(2.1)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.5.x

Server
7.2.4

January 2024

CVE-2023-38545

Upgrade cURL to 8.4.0.

The flaw in curl makes it overflow a heap based buffer in the SOCKS5 proxy handshake.

Critical
(9.8)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.6.x,
6.5.x

Server
7.2.4

January 2024

CVE-2023-5678

Upgrade to OpenSSL 3.1.4.

Applications that use the functions DH_generate_key() to generate an X9.42 DH key and applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

Medium
(5.3)

Couchbase Server

Server
7.2.3,
7.2.2,
7.2.1,
7.2.0,
7.1.x,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.4

January 2024

CVE-2023-44487

Upgrade gRPC to v1.58.3.

The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly.

High
(7.5)

Couchbase Server

Server
7.2.2,
7.2.1,
7.2.0,
7.1.5,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.3,
7.1.6

November 2023

CVE-2023-44487

Upgrade Golang to 1.20.10.

The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly.

High
(7.5)

Couchbase Server

Server
7.2.2,
7.2.1,
7.2.0,
7.1.5,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.3,
7.1.6

November 2023

CVE-2023-0464

Upgrade to OpenSSL 1.1.1u.

A vulnerability in OpenSSL related to the verification of X.509 certificate chains that include policy constraints., which would allow attackers to be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

High
(7.5)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.1,
7.1.5

November 2023

CVE-2022-41723

Update of GoLang to 1.19.9.

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

High
(7.5)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x

Server
7.2.1,
7.1.5

November 2023

CVE-2023-3079

CVE-2023-2033

Update V8 to 11.4.185.1.

Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

High
(8.0)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.1,
7.1.5

November 2023

CVE-2023-21930

CVE-2023-21954

CVE-2023-21967

CVE-2023-21939

CVE-2023-21938

CVE-2023-21937

CVE-2023-21968

Update OpenJDK to 11.0.19.

Update OpenJDK to versions 11.0.19 to resolve numerous CVEs.

High
(7.4)

Couchbase Server

Server
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.6.x

Server
7.1.5

November 2023

CVE-2023-36667

Windows traversal security issue.

The Couchbase Server Windows UI allows an attacker to traverse the filesystem and display files that Couchbase has access to. This vulnerability doesn't require any authentication. It's exploitable with just appending folders/files to the Couchbase Server admin UI's URL.

High
(7.5)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.2.1,
7.1.5

November 2023

CVE-2023-43768

Unauthenticated users may cause memcached to run out of memory.

A malicious user may easily crash a memcached server by connecting to the server and start sending large commands.

High
(7.5)

Couchbase Server

Server
7.2.0,
7.1.4,
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.6.x

Server
7.2.1,
7.1.5

November 2023

CVE-2023-45875

Private key leak in debug.log while adding pre-7.0 node to 7.2 cluster.

The private key is leaked to debug.log when adding a pre-7.0 node to 7.2 cluster.

Medium
(4.4)

Couchbase Server

Server
7.2.0

Server
7.2.1

November 2023

CVE-2022-41881

CVE-2022-41915

Update Netty to 4.1.86.Final or higher.

In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion.

Low
(2.2)

Couchbase Server

Server
6.6.6,
7.0.5,
7.1.3

Server
7.2.0,
7.1.4

May 2023

CVE-2023-28470

Full Text Search (FTS) nsstats endpoint is accessible without authentication.

The FTS stats endpoint at /api/nsstats does not implement correct authentication, so it is possible to view the names of Couchbase Server buckets, the names of FTS indexes and configuration of FTS indexes without authentication. The contents of the buckets and indexes are not exposed.

Medium
(5.3)

Couchbase Server

Server
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.6.x

Server
7.1.4

March 2023

CVE-2023-25016

Credentials can be leaked to the logs if there is a crash during a node join.

During a node join failure, unredacted credentials of the user making the REST request can be leaked into the log files.

Medium
(6.3)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.x,
3.x,
2.x

Server
7.1.2,
7.0.5,
6.6.6

January 2023

CVE-2022-42951

Couchbase Cluster Manager lacks access controls during a cluster node restart.

During the start of a couchbase server node there is a short time period where the security cookie is set to "nocookie" which lacks access controls over the Erlang distribution protocol. If an attacker connects to this protocol during this period, they can execute arbitrary code remotely on any cluster node at any point of time until their connection is dropped. The executed code will be running with the same privileges as the Couchbase Server.

Critical
(9.8)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server
7.1.2,
7.0.5,
6.6.6

January 2023

CVE-2022-42004

CVE-2022-42003

Update of Jackson Databind to 2.13.4.2+ as used in the Analytics Service to resolve vulnerabilities.

A resource exhaustion of the Couchbase Analytics Service can occur because of a lack of a check to prevent use of deeply nested arrays.

High
(7.5)

Couchbase Server

Server
7.1.2,
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1
6.6.0
6.5.x,
6.0.x,
5.x,
4.x

Server
7.1.3,
7.0.5,
6.6.6

January 2023

CVE-2022-42950

A crafted HTTP request to REST API can cause a backup service OOM.

An extremely large (or unbounded) HTTP request body may cause the backup service to cause an OOM (out-of-memory) error.

Medium
(4.9)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0

Server
7.1.2,
7.0.5

January 2023

CVE-2022-1096

Update of V8 Javascript Engine to 10.7.x.

The v8 Javascript engine as used in the Couchbase Server Eventing Service, View Engine, XDCR and N1QL UDFs has been updated as there's a type confusion in versions prior to 99.0.4844.84 which allowed a remote attacker to potentially exploit heap corruption via a crafted request.

High
(8.8)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.x,
5.x,
4.x,
3.x,
2.x