CVE-2021-38295
📋 TL;DR
This is a privilege escalation vulnerability in Apache CouchDB where a malicious user with document creation permissions can attach HTML files containing JavaScript. When an administrator views these attachments through the Fauxton interface, the JavaScript executes with admin privileges, allowing attackers to modify databases or change configurations. This affects CouchDB installations prior to version 3.1.2.
💻 Affected Systems
- Apache CouchDB
📦 What is this software?
Couchdb by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the CouchDB instance where attackers gain administrative access, modify or delete all databases, change configuration settings, and potentially pivot to other systems.
Likely Case
Attackers with existing user access escalate privileges to admin level, then exfiltrate or manipulate sensitive data stored in CouchDB databases.
If Mitigated
Limited impact if proper access controls restrict document creation permissions and administrators avoid opening untrusted attachments.
🎯 Exploit Status
Exploitation requires an attacker to first obtain user credentials with document creation permissions, then trick an administrator into opening a malicious HTML attachment.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.2
Vendor Advisory: https://docs.couchdb.org/en/stable/cve/2021-38295.html
Restart Required: Yes
Instructions:
1. Backup CouchDB data and configuration. 2. Download CouchDB 3.1.2 or later from the official Apache website. 3. Stop the CouchDB service. 4. Install the new version following platform-specific installation guides. 5. Start the CouchDB service. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict Document Creation Permissions
allLimit document creation to trusted users only and implement strict access controls.
# Configure CouchDB security settings to restrict _users database permissions
# Use CouchDB's _security documents to define database-level permissions
Disable HTML Attachment Viewing
allConfigure browsers or CouchDB to prevent automatic rendering of HTML attachments in the admin interface.
# Configure browser security settings to block HTML execution from CouchDB
# Implement Content Security Policy headers if using reverse proxy
🧯 If You Can't Patch
- Implement strict principle of least privilege for all CouchDB user accounts
- Train administrators to never open attachments from untrusted sources in the Fauxton interface
🔍 How to Verify
Check if Vulnerable:
Check CouchDB version via the web interface at /_utils or via API: curl http://localhost:5984/Check Version:
curl -s http://localhost:5984/ | grep versionVerify Fix Applied:
Confirm version is 3.1.2 or higher and test that HTML attachments no longer execute JavaScript when viewed by administrators.📡 Detection & Monitoring
Log Indicators:
- Unusual document creation patterns
- Administrator account accessing documents with HTML attachments
- Configuration changes from non-standard user accounts
Network Indicators:
- HTTP requests uploading HTML files to CouchDB
- Subsequent administrative API calls from same source IP
SIEM Query:
source="couchdb.log" AND (event="document_create" AND attachment_type="text/html") OR (event="config_change" AND user!="admin")