CRITICAL🇵🇱 Wersja polska

CVE-2023-49931

CVSS 9.8v3.1pub. 2024-02-29upd. 2025-04-08

An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.

🤖 AI Analysis
How it works

The /diag/eval endpoint in Couchbase Server is used to execute server-side code for diagnostic purposes. Insufficient restrictions on cURL calls initiated by SQL++ queries allow an attacker to send requests to this endpoint without proper authorization. As a result, it is possible to bypass access control mechanisms (CWE-284 — Improper Access Control) and interact with the protected diagnostic interface.

Impact

An unauthenticated attacker can gain full control over the server, including disclosure of sensitive data, data modification, and potentially disruption of service availability.

Mitigation & patch

Couchbase Server must be updated to version 7.2.4 or later. Detailed information is available in the vendor's release notes at docs.couchbase.com/server/current/release-notes/relnotes.html and on the security alerts page at couchbase.com/alerts/

Who is affected

Couchbase Server in all versions before 7.2.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Couchbase Server

    APP
    Couchbase
    5.0.0 – 7.2.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-49930CRITICAL9.8PL ✓ten sam produkt

Niewystarczające ograniczenia wywołań cURL w /diag/eval w Couchbase Server

CVE-2022-32559CRITICAL9.1ten sam produkt

An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.

CVE-2021-35943CRITICAL9.8ten sam produkt

Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not ...

CVE-2020-24719CRITICAL9.8ten sam produkt

Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes ...

CVE-2020-9039CRITICAL9.8ten sam produkt

Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have In...