| Date: | 14.11.2017 |
|---|---|
| Affected: | All Versions of Apache CouchDB |
| Severity: | Critical |
| Vendor: | The Apache Software Foundation |
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
All users should upgrade to CouchDB :ref:`1.7.1 <release/1.7.1>` or :ref:`2.1.1 <release/2.1.1>`.
Upgrades from previous 1.x and 2.x versions in the same series should be seamless.
Users on earlier versions, or users upgrading from 1.x to 2.x should consult with upgrade notes.
This issue was discovered by Joan Touzet of the CouchDB Security team during the investigation of :ref:`CVE-2017-12635 <cve/2017-12635>`.