Enterprise Security Alerts & Advisories for Couchbase

CVE	Synopsis	Impact (CVSS)	Products	Affects Version	Fix Version	Publish Date
CVE-2022-41881 CVE-2022-41915	Update Netty to 4.1.86.Final or higher. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion.	Low	Couchbase Server	Server 6.6.6, 7.0.5, 7.1.3	Server 7.2.0, 7.1.4	May 2023
CVE-2023-28470	Full Text Search (FTS) nsstats endpoint is accessible without authentication. The FTS stats endpoint at /api/nsstats does not implement correct authentication, so it is possible to view the names of Couchbase Server buckets, the names of FTS indexes and configuration of FTS indexes without authentication. The contents of the buckets and indexes are not exposed.	Medium (5.3)	Couchbase Server	Server 7.1.3, 7.1.2, 7.1.1, 7.1.0, 7.0.x, 6.6.x	Server 7.1.4	March 2023
CVE-2023-25016	Credentials can be leaked to the logs if there is a crash during a node join. During a node join failure, unredacted credentials of the user making the REST request can be leaked into the log files.	Medium (6.3)	Couchbase Server	Server 7.1.1, 7.1.0, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5.x, 6.0.x, 5.x, 4.x, 3.x, 2.x	Server 7.1.2, 7.0.5, 6.6.6	January 2023
CVE-2022-42951	Couchbase Cluster Manager lacks access controls during a cluster node restart. During the start of a couchbase server node there is a short time period where the security cookie is set to "nocookie" which lacks access controls over the Erlang distribution protocol. If an attacker connects to this protocol during this period, they can execute arbitrary code remotely on any cluster node at any point of time until their connection is dropped. The executed code will be running with the same privileges as the Couchbase Server.	Critical (9.8)	Couchbase Server	Server 7.1.1, 7.1.0, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5.x	Server 7.1.2, 7.0.5, 6.6.6	January 2023
CVE-2022-42004 CVE-2022-42003	Update of Jackson Databind to 2.13.4.2+ as used in the Analytics Service to resolve vulnerabilities. A resource exhaustion of the Couchbase Analytics Service can occur because of a lack of a check to prevent use of deeply nested arrays.	High (7.5)	Couchbase Server	Server 7.1.2, 7.1.1, 7.1.0, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1 6.6.0 6.5.x, 6.0.x, 5.x, 4.x	Server 7.1.3, 7.0.5, 6.6.6	January 2023
CVE-2022-42950	A crafted HTTP request to REST API can cause a backup service OOM. An extremely large (or unbounded) HTTP request body may cause the backup service to cause an OOM (out-of-memory) error.	Medium (4.9)	Couchbase Server	Server 7.1.1, 7.1.0, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0	Server 7.1.2, 7.0.5	January 2023
CVE-2022-1096	Update of V8 Javascript Engine to 10.7.x. The v8 Javascript engine as used in the Couchbase Server Eventing Service, View Engine, XDCR and N1QL UDFs has been updated as there's a type confusion in versions prior to 99.0.4844.84 which allowed a remote attacker to potentially exploit heap corruption via a crafted request.	High (8.8)	Couchbase Server	Server 7.1.1, 7.1.0, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.x, 5.x, 4.x, 3.x, 2.x	Server 7.1.2, 7.0.5	January 2023
CVE-2021-41561	Update of Apache Parquet to 1.12.3. An attacker can use Parquet files, as optionally used by the Couchbase Analytics Service, to cause a Denial of Service (DoS) if malicious files contain improper values in the file page header (e.g. negative values where positive value is expected). This is resolved by updating the Apache Parquet library to a later version.	High (7.5)	Couchbase Server	Server 7.1.1, 7.1.0	Server 7.1.2	November 2022
CVE-2022-37026	Upgrade of Erlang to version 24.3.4.4. When using the tls/ssl feature in couchbase server, it is possible to bypass client authentication in certain situations. Specifically, any application using the ssl/tls/dtls server, and the client certification option "{verify, verify_peer}" are affected by this vulnerability. Corrections have been released on the supported tracks with patches 23.3.4.15, 24.3.4.2, and 25.0.2 of the erlang/OTP runtime. Only clusters using certificate-based authentication are affected.	Critical (9.8)	Couchbase Server	Server 7.1.1, 7.1.0	Server 7.1.2	November 2022
CVE-2022-32556	Private key is leaked to the log files with certain crashes. Certain rare crashes might cause the private key of the generated certificate to be leaked to the log files.	Medium (6.3)	Couchbase Server	Server 7.1.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5.x, 6.0.x, 5.x, 4.x, 3.x	Server 7.1.1, 7.0.4, 6.6.6	July 2022
CVE-2022-24675 CVE-2022-23772 CVE-2022-24921	Update of GoLang to a minimum of 1.17.9 or 1.18.1. Updated Go Programming Language and associated libraries used in multiple Couchbase Server services to versions 1.17.9+ or 1.18.1+ to resolve numerous CVEs.	High (7.5)	Couchbase Server	Server 7.1.0, 7.0.4, ,7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5x, 6.0.x, 5.x, 4.x	Server 7.1.1, 7.0.5, 6.6.6	July 2022
CVE-2020-36518	Update of jackson-databind library to version 2.13.2.2. jackson-databind, before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. This library is used by the Couchbase Server Analytics Service	Medium (6.5)	Couchbase Server	Server 7.1.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5.x, 6.0.x	Server 7.1.1, 7.0.4, 6.6.6	July 2022
CVE-2022-1292	Update of openssl to 1.1.1o. Updated openssl to fix a flaw in an openssl component, c_rehash. This script scans directories and takes a hash value of each .pem and .crt file in the directory. It then creates symbolic links for each of the files named by the hash value. It has a flaw that allows command injection in the script.	Critical (9.8)	Couchbase Server	Server 7.1.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5.x	Server 7.1.1, 7.0.4, 6.6.6	July 2022
CVE-2022-34826	Encrypted Private Key passphrase may be leaked in the logs. In Couchbase Server 7.1.0 and later it's possible to provide a passphrase to Couchbase Server to unlock an encrypted TLS private key. This passphrase was found to be leaked in the log files as a Base64 encoded string when one of the Couchbase services, other than the Data Service, was starting up. This affects the Index Service, Query Service, Analytics Service, Backup Service and Eventing Service if the optional encrypted TLS keys feature is used. Note, an attacker needs to have access to the logs as well as the private key to be able to perform attacks such as performing a man in the middle attack or decrypting network communication. Using operating system protections to restrict access to these files can be an effective mitigation strategy.	Medium (4.4)	Couchbase Server	Server 7.1.0	Server 7.1.1	July 2022
CVE-2021-42581	Updating ramda, a client-side javascript library to version 0.28 as used in the Couchbase Server UI. Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "{}proto{}") as an argument to the function, known as prototype pollution. Prototype pollution type attacks allow bypassing input validation and triggering unexpected javascript execution.	Critical (9.1)	Couchbase Server	Server 7.1.0, 7.0.x	Server 7.1.1	July 2022
CVE-2021-44906	Update of js-beautify to 1.14.3, a client-side javascript library used in the Couchbase Server UI. js-beautify has a dependency with a known vulnerability, Minimist. Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). Prototype pollution attacks allow bypassing input validation and triggering unexpected javascript execution.	Critical (9.8)	Couchbase Server	Server 7.1.0, 7.0.x	Server 7.1.1	July 2022
CVE-2022-33911	Field names are not redacted in logged validation messages for Analytics Service. When creating secondary indexes with the Couchbase Server Analytics Service, there are some validations on the indexed fields which are reported to the user and logged. The error message with code ASX0013 is used in multiple paths to report and log that there is a duplicate field name. The field names in these logged validation messages are not redacted. Also errors with the code ASX1079 has field names which are not redacted.	Low (1.8)	Couchbase Server	Server 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5.x	Server 7.0.4, 6.6.6	June 2022
CVE-2022-33173	Analytics Remote Links may temporarily downgrade to non-TLS connection to determine TLS port. On failure to establish TLS connection for an Analytics Remote Link configured with encryption=full, the runtime would attempt to discover the (non-default) TLS port by attempting a non-TLS connection to the remote cluster, using SCRAM-SHA for authentication. While credentials are not shared when SCRAM-SHA, it may not be expected that the system would downgrade the prescribed encryption level which specified a TLS connection. This fallback mechanism has been removed, and in a failure to initially establish a TLS connection, the CONNECT LINK will simply fail until the correct TLS port is provided as part of the link configuration.	Low (2.0)	Couchbase Server	Server 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0	Server 7.0.4, 6.6.6	June 2022
CVE-2022-32565	Backup Service log leaks unredacted usernames and doc ids. If the backup service fails to log an audit message, it leaks the audit log data into the backup_service.log which isn't redacted.	Low (1.8)	Couchbase Server	Server 7.0.x	Server 7.1.0	June 2022
CVE-2020-14040	Update golang.org/x/text package to 0.3.4 or later. The golang.org/x/text/encoding/unicode package which could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory.	High (7.5)	Couchbase Server	Server 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5.x, 6.0.x, 5.x	Server 7.0.4, 6.6.6	June 2022
CVE-2022-32192	couchbase-cli leaks Secrets Management master password as a command-line argument. The couchbase-cli spawns a very short-lived erlang process that has the master password as a process argument, this means that if anyone gets the process list at that time they will have the master password. This only affects Couchbase Server clusters utilizing the Secrets Management feature.	Medium (5.5)	Couchbase Server	Server 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, 6.6.0, 6.5.x, 6.0.x, 5.x	Server 7.0.4, 6.6.6	June 2022
CVE-2022-32562	Operations may succeed on collection using stale RBAC permission. If an RBAC role contains a collection-level permission (e.g., query_select[src:_default:Collection1]) and the collection name is deleted and re-created in the bucket, the collection-level permission will still be valid. This allows the user with the role to access the collection even though their permission should have been removed when the collection was deleted.	High (8.8)	Couchbase Server	Server 7.0.3, 7.0.2, 7.0.1, 7.0.0	Server 7.0.4	June 2022
CVE-2022-32560	XDCR - lacks role checking when changing internal settings. In affected versions of Couchbase Server, X

CVE-2022-41881

CVE-2022-41915

Update Netty to 4.1.86.Final or higher.

In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion.

Low

Couchbase Server

Server
6.6.6,
7.0.5,
7.1.3

Server
7.2.0,
7.1.4

May 2023

CVE-2023-28470

Full Text Search (FTS) nsstats endpoint is accessible without authentication.

The FTS stats endpoint at /api/nsstats does not implement correct authentication, so it is possible to view the names of Couchbase Server buckets, the names of FTS indexes and configuration of FTS indexes without authentication. The contents of the buckets and indexes are not exposed.

Medium
(5.3)

Couchbase Server

Server
7.1.3,
7.1.2,
7.1.1,
7.1.0,
7.0.x,
6.6.x

Server
7.1.4

March 2023

CVE-2023-25016

Credentials can be leaked to the logs if there is a crash during a node join.

During a node join failure, unredacted credentials of the user making the REST request can be leaked into the log files.

Medium
(6.3)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.x,
3.x,
2.x

Server
7.1.2,
7.0.5,
6.6.6

January 2023

CVE-2022-42951

Couchbase Cluster Manager lacks access controls during a cluster node restart.

During the start of a couchbase server node there is a short time period where the security cookie is set to "nocookie" which lacks access controls over the Erlang distribution protocol. If an attacker connects to this protocol during this period, they can execute arbitrary code remotely on any cluster node at any point of time until their connection is dropped. The executed code will be running with the same privileges as the Couchbase Server.

Critical
(9.8)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server
7.1.2,
7.0.5,
6.6.6

January 2023

CVE-2022-42004

CVE-2022-42003

Update of Jackson Databind to 2.13.4.2+ as used in the Analytics Service to resolve vulnerabilities.

A resource exhaustion of the Couchbase Analytics Service can occur because of a lack of a check to prevent use of deeply nested arrays.

High
(7.5)

Couchbase Server

Server
7.1.2,
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1
6.6.0
6.5.x,
6.0.x,
5.x,
4.x

Server
7.1.3,
7.0.5,
6.6.6

January 2023

CVE-2022-42950

A crafted HTTP request to REST API can cause a backup service OOM.

An extremely large (or unbounded) HTTP request body may cause the backup service to cause an OOM (out-of-memory) error.

Medium
(4.9)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0

Server
7.1.2,
7.0.5

January 2023

CVE-2022-1096

Update of V8 Javascript Engine to 10.7.x.

The v8 Javascript engine as used in the Couchbase Server Eventing Service, View Engine, XDCR and N1QL UDFs has been updated as there's a type confusion in versions prior to 99.0.4844.84 which allowed a remote attacker to potentially exploit heap corruption via a crafted request.

High
(8.8)

Couchbase Server

Server
7.1.1,
7.1.0,
7.0.4,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.x,
5.x,
4.x,
3.x,
2.x

Server
7.1.2,
7.0.5

January 2023

CVE-2021-41561

Update of Apache Parquet to 1.12.3.

An attacker can use Parquet files, as optionally used by the Couchbase Analytics Service, to cause a Denial of Service (DoS) if malicious files contain improper values in the file page header (e.g. negative values where positive value is expected). This is resolved by updating the Apache Parquet library to a later version.

High
(7.5)

Couchbase Server

Server
7.1.1,
7.1.0

Server
7.1.2

November 2022

CVE-2022-37026

Upgrade of Erlang to version 24.3.4.4.

When using the tls/ssl feature in couchbase server, it is possible to bypass client authentication in certain situations. Specifically, any application using the ssl/tls/dtls server, and the client certification option "{verify, verify_peer}" are affected by this vulnerability. Corrections have been released on the supported tracks with patches 23.3.4.15, 24.3.4.2, and 25.0.2 of the erlang/OTP runtime. Only clusters using certificate-based authentication are affected.

Critical
(9.8)

Couchbase Server

Server
7.1.1,
7.1.0

Server
7.1.2

November 2022

CVE-2022-32556

Private key is leaked to the log files with certain crashes.

Certain rare crashes might cause the private key of the generated certificate to be leaked to the log files.

Medium
(6.3)

Couchbase Server

Server
7.1.0,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.x,
3.x

Server
7.1.1,
7.0.4,
6.6.6

July 2022

CVE-2022-24675

CVE-2022-23772

CVE-2022-24921

Update of GoLang to a minimum of 1.17.9 or 1.18.1.

Updated Go Programming Language and associated libraries used in multiple Couchbase Server services to versions 1.17.9+ or 1.18.1+ to resolve numerous CVEs.

High
(7.5)

Couchbase Server

Server
7.1.0,
7.0.4,
,7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5x,
6.0.x,
5.x,
4.x

Server
7.1.1,
7.0.5,
6.6.6

July 2022

CVE-2020-36518

Update of jackson-databind library to version 2.13.2.2.

jackson-databind, before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. This library is used by the Couchbase Server Analytics Service

Medium
(6.5)

Couchbase Server

Server
7.1.0,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x

Server
7.1.1,
7.0.4,
6.6.6

July 2022

CVE-2022-1292

Update of openssl to 1.1.1o.

Updated openssl to fix a flaw in an openssl component, c_rehash. This script scans directories and takes a hash value of each .pem and .crt file in the directory. It then creates symbolic links for each of the files named by the hash value. It has a flaw that allows command injection in the script.

Critical
(9.8)

Couchbase Server

Server
7.1.0,
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server
7.1.1,
7.0.4,
6.6.6

July 2022

CVE-2022-34826

Encrypted Private Key passphrase may be leaked in the logs.

In Couchbase Server 7.1.0 and later it's possible to provide a passphrase to Couchbase Server to unlock an encrypted TLS private key. This passphrase was found to be leaked in the log files as a Base64 encoded string when one of the Couchbase services, other than the Data Service, was starting up. This affects the Index Service, Query Service, Analytics Service, Backup Service and Eventing Service if the optional encrypted TLS keys feature is used. Note, an attacker needs to have access to the logs as well as the private key to be able to perform attacks such as performing a man in the middle attack or decrypting network communication. Using operating system protections to restrict access to these files can be an effective mitigation strategy.

Medium
(4.4)

Couchbase Server

Server
7.1.0

Server
7.1.1

July 2022

CVE-2021-42581

Updating ramda, a client-side javascript library to version 0.28 as used in the Couchbase Server UI.

Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "{}proto{}") as an argument to the function, known as prototype pollution. Prototype pollution type attacks allow bypassing input validation and triggering unexpected javascript execution.

Critical
(9.1)

Couchbase Server

Server
7.1.0,
7.0.x

Server
7.1.1

July 2022

CVE-2021-44906

Update of js-beautify to 1.14.3, a client-side javascript library used in the Couchbase Server UI.

js-beautify has a dependency with a known vulnerability, Minimist. Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). Prototype pollution attacks allow bypassing input validation and triggering unexpected javascript execution.

Critical
(9.8)

Couchbase Server

Server
7.1.0,
7.0.x

Server
7.1.1

July 2022

CVE-2022-33911

Field names are not redacted in logged validation messages for Analytics Service.

When creating secondary indexes with the Couchbase Server Analytics Service, there are some validations on the indexed fields which are reported to the user and logged. The error message with code ASX0013 is used in multiple paths to report and log that there is a duplicate field name. The field names in these logged validation messages are not redacted. Also errors with the code ASX1079 has field names which are not redacted.

Low
(1.8)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server
7.0.4,
6.6.6

June 2022

CVE-2022-33173

Analytics Remote Links may temporarily downgrade to non-TLS connection to determine TLS port.

On failure to establish TLS connection for an Analytics Remote Link configured with encryption=full, the runtime would attempt to discover the (non-default) TLS port by attempting a non-TLS connection to the remote cluster, using SCRAM-SHA for authentication. While credentials are not shared when SCRAM-SHA, it may not be expected that the system would downgrade the prescribed encryption level which specified a TLS connection. This fallback mechanism has been removed, and in a failure to initially establish a TLS connection, the CONNECT LINK will simply fail until the correct TLS port is provided as part of the link configuration.

Low
(2.0)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0

Server
7.0.4,
6.6.6

June 2022

CVE-2022-32565

Backup Service log leaks unredacted usernames and doc ids.

If the backup service fails to log an audit message, it leaks the audit log data into the backup_service.log which isn't redacted.

Low
(1.8)

Couchbase Server

Server
7.0.x

Server
7.1.0

June 2022

CVE-2020-14040

Update golang.org/x/text package to 0.3.4 or later.

The golang.org/x/text/encoding/unicode package which could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory.

High
(7.5)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x

Server
7.0.4,
6.6.6

June 2022

CVE-2022-32192

couchbase-cli leaks Secrets Management master password as a command-line argument.

The couchbase-cli spawns a very short-lived erlang process that has the master password as a process argument, this means that if anyone gets the process list at that time they will have the master password. This only affects Couchbase Server clusters utilizing the Secrets Management feature.

Medium
(5.5)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0,
6.6.5,
6.6.4,
6.6.3,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x

Server
7.0.4,
6.6.6

June 2022

CVE-2022-32562

Operations may succeed on collection using stale RBAC permission.

If an RBAC role contains a collection-level permission (e.g., query_select[src:_default:Collection1]) and the collection name is deleted and re-created in the bucket, the collection-level permission will still be valid. This allows the user with the role to access the collection even though their permission should have been removed when the collection was deleted.

High
(8.8)

Couchbase Server

Server
7.0.3,
7.0.2,
7.0.1,
7.0.0

Server
7.0.4

June 2022

CVE-2022-32560

XDCR - lacks role checking when changing internal settings.

In affected versions of Couchbase Server, X

What is Couchbase?

Products

See how Capella stacks up

Ready For Pricing?

By Industry

By Need

Why NoSQL

What is NoSQL and why choose it?

Popular Docs

Couchbase Developers

Developer Playground

Start a Capella session

Resource Center

Education

Documentation

Certification Exams 2023

Get Couchbase certified

About

Join Us

Our Services

Partners: Register a Deal

Ready to register a deal with Couchbase?

Couchbase Customer Spotlight

Marriott

Couchbase Alerts

Enterprise Security Alerts