CVE-2023-28470 – Couchbase Server versions 5 through 7.1.3 expos... (How to Fix)

Q: What is the severity of CVE-2023-28470?

CVE-2023-28470 has a CVSS score of 5.3 (MEDIUM). Couchbase Server versions 5 through 7.1.3 expose the nsstats endpoint without requiring authentication. This allows unauthenticated attackers to access server statistics and potentially gather information about the database environment. All Couchbase Server deployments within the affected version range are vulnerable if the endpoint is accessible.

📋 TL;DR

Couchbase Server versions 5 through 7.1.3 expose the nsstats endpoint without requiring authentication. This allows unauthenticated attackers to access server statistics and potentially gather information about the database environment. All Couchbase Server deployments within the affected version range are vulnerable if the endpoint is accessible.

💻 Affected Systems

Products:

Couchbase Server

Versions: 5.0.0 through 7.1.3

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within the affected version range are vulnerable. The nsstats endpoint is accessible by default without authentication.

📦 What is this software?

Couchbase Server by Couchbase

View all CVEs affecting Couchbase Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure could reveal sensitive operational details, cluster topology, performance metrics, and potentially aid in further attacks by exposing system configuration.

🟠

Likely Case

Unauthenticated access to server statistics, allowing reconnaissance and information gathering about the database environment.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to the endpoint.

🌐 Internet-Facing: MEDIUM - While it's information disclosure rather than direct compromise, exposed database statistics can provide attackers with valuable reconnaissance data.

🏢 Internal Only: LOW - Internal attackers already have network access, making this less impactful than external exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP access to the vulnerable endpoint - no authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.4 and later

Vendor Advisory: https://docs.couchbase.com/server/current/release-notes/relnotes.html

Restart Required: Yes

Instructions:

1. Download Couchbase Server 7.1.4 or later from official sources. 2. Backup all data and configuration. 3. Stop Couchbase Server services. 4. Install the updated version. 5. Restart Couchbase Server services. 6. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to Couchbase Server endpoints using firewall rules

iptables -A INPUT -p tcp --dport 8091 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8091 -j DROP

Reverse Proxy Authentication

all

Place Couchbase Server behind a reverse proxy that requires authentication

🧯 If You Can't Patch

Implement strict network segmentation to prevent unauthorized access to Couchbase Server endpoints
Deploy web application firewall rules to block access to /nsstats endpoint

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[couchbase-server]:8091/nsstats without authentication. If it returns statistics data, the system is vulnerable.

Check Version:

curl -s http://localhost:8091/pools | grep -o '"version":"[^"]*"'

Verify Fix Applied:

After patching, attempt the same access. You should receive an authentication prompt or access denied response.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to /nsstats endpoint
HTTP 200 responses to /nsstats from unauthenticated sources

Network Indicators:

Unusual traffic patterns to port 8091 from unauthorized sources
GET requests to /nsstats endpoint

SIEM Query:

source="couchbase.log" AND (uri_path="/nsstats" AND http_status=200 AND NOT authenticated_user=*)

📊 Metadata

CVE ID: CVE-2023-28470

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-306

Published: March 23, 2023

Last Updated: February 24, 2025

🔗 References

https://docs.couchbase.com/server/current/release-notes/relnotes.html Release Notes
https://forums.couchbase.com/tags/security Vendor Advisory
https://www.couchbase.com/alerts/ Vendor Advisory
https://www.couchbase.com/downloads Product
https://docs.couchbase.com/server/current/release-notes/relnotes.html Release Notes
https://forums.couchbase.com/tags/security Vendor Advisory
https://www.couchbase.com/alerts/ Vendor Advisory
https://www.couchbase.com/downloads Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28470, you might also want to check these: