An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.
The /diag/eval endpoint in Couchbase Server enables execution of diagnostic code on the server. Due to insufficient restrictions on cURL calls directed to this endpoint, an attacker can send network requests without proper authentication or authorization. The vulnerability is classified as an access control issue (CWE-284), meaning that authorization verification mechanisms do not work as intended by security assumptions.
An attacker without any authentication, remotely over the network, can gain full control over the confidentiality, integrity, and availability of the system — corresponding to maximum CVSS scores in these categories.
Couchbase Server should be updated to version 7.2.4 or newer. Detailed information is available in the official release notes from the vendor at docs.couchbase.com and on the security alerts page at couchbase.com/alerts/
Couchbase Server in all versions before 7.2.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCouchbase Server
APPCouchbase7.1.5 – 7.2.4 (bez)
Related vulnerabilities
Niewystarczające ograniczenia wywołań cURL w Couchbase Server (SQL++)
An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.
Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not ...
Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes ...
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have In...