CVE-2023-49338 – Couchbase Server 7.1.x and 7.2.x before 7.2.4 e... (How to Fix)

Q: What is the severity of CVE-2023-49338?

CVE-2023-49338 has a CVSS score of 7.5 (HIGH). Couchbase Server 7.1.x and 7.2.x before 7.2.4 exposes sensitive admin statistics and vitals endpoints without authentication on localhost port 8093. This allows any local user or process to access detailed system metrics and health information that should be protected. Organizations running affected Couchbase Server versions are vulnerable.

📋 TL;DR

Couchbase Server 7.1.x and 7.2.x before 7.2.4 exposes sensitive admin statistics and vitals endpoints without authentication on localhost port 8093. This allows any local user or process to access detailed system metrics and health information that should be protected. Organizations running affected Couchbase Server versions are vulnerable.

💻 Affected Systems

Products:

Couchbase Server

Versions: 7.1.x and 7.2.x before 7.2.4

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Query Service endpoints on localhost port 8093. Requires local access to the Couchbase Server host.

📦 What is this software?

Couchbase Server by Couchbase

View all CVEs affecting Couchbase Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access could gather detailed system metrics, potentially revealing sensitive information about database performance, configuration, and health that could facilitate further attacks or data exfiltration.

🟠

Likely Case

Unauthorized users or malicious processes on the same host could monitor database performance metrics, track system vitals, and gain insights into database operations without authentication.

🟢

If Mitigated

With proper network segmentation and local host security controls, the impact is limited to authorized local processes only.

🌐 Internet-Facing: LOW - The vulnerability affects localhost endpoints only, not directly internet-accessible interfaces.

🏢 Internal Only: MEDIUM - Local attackers or compromised processes on the same host can access sensitive admin information without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires local access to the Couchbase Server host. Attackers can simply curl or access the endpoints without credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.2.4

Vendor Advisory: https://docs.couchbase.com/server/current/release-notes/relnotes.html

Restart Required: Yes

Instructions:

1. Download Couchbase Server 7.2.4 or later from official sources. 2. Backup your configuration and data. 3. Stop Couchbase Server services. 4. Install the updated version. 5. Restart Couchbase Server services. 6. Verify the update was successful.

🔧 Temporary Workarounds

Localhost Firewall Restriction

linux

Block unauthorized local access to port 8093 using host firewall rules

iptables -A INPUT -p tcp --dport 8093 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8093 -j DROP

Network Segmentation

all

Ensure Couchbase Server hosts are properly segmented and only authorized processes can access localhost services

🧯 If You Can't Patch

Implement strict local host security controls to prevent unauthorized local users or processes
Monitor and audit access to localhost port 8093 for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Run: curl -v http://localhost:8093/admin/stats and check if it returns data without authentication. If it returns HTTP 200 with JSON data, the system is vulnerable.

Check Version:

couchbase-server --version or check the web console at http://localhost:8091

Verify Fix Applied:

After patching to 7.2.4+, the same curl command should return HTTP 401 Unauthorized or require proper authentication.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /admin/stats or /admin/vitals endpoints
Successful access to admin endpoints without authentication logs

Network Indicators:

Unusual traffic patterns to localhost:8093 from unexpected processes
Multiple rapid requests to admin endpoints

SIEM Query:

source="couchbase.log" AND (uri_path="/admin/stats" OR uri_path="/admin/vitals") AND http_status=200 AND NOT auth_user=*

📊 Metadata

CVE ID: CVE-2023-49338

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

Published: February 28, 2024

Last Updated: April 23, 2025

🔗 References

https://docs.couchbase.com/server/current/release-notes/relnotes.html Release Notes
https://forums.couchbase.com/tags/security Product
https://www.couchbase.com/alerts/ Vendor Advisory
https://docs.couchbase.com/server/current/release-notes/relnotes.html Release Notes
https://forums.couchbase.com/tags/security Product
https://www.couchbase.com/alerts/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49338, you might also want to check these: