Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-1955

Date: May 20, 2020

CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called "require_valid_user_except_for_up". It was meant as an extension to the long standing setting "require_valid_user", which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests. The new "require_valid_user_except_for_up" is an off-by-default setting that was meant to allow requiring valid credentials for all endpoints except for the "/_up" endpoint. However, the implementation of this made an error that lead to not enforcing credentials on any endpoint, when enabled. CouchDB versions 3.0.1[1] and 3.1.0[2] fix this issue.

Language: ERLANG

Severity Score

Related Resources (4)

https://docs.couchdb.org/en/master/cve/2020-1955.html
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1955
https://nvd.nist.gov/vuln/detail/CVE-2020-1955
https://www.mend.io/vulnerability-database/CVE-2020-1955

Severity Score

Weakness Type (CWE)

Missing Authentication for Critical Function

CWE-306

Improper Privilege Management

CWE-269

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us