Login Sign Up

CVE-2023-49930

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2023-49930 is an improper access control vulnerability in Couchbase Server that allows unauthenticated attackers to execute arbitrary code via cURL calls to the /diag/eval endpoint. This affects all Couchbase Server deployments before version 7.2.4 that have the diagnostic endpoint accessible.

💻 Affected Systems

Products:
  • Couchbase Server
Versions: All versions before 7.2.4
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable in default configurations where diagnostic endpoints are enabled.

📦 What is this software?

Couchbase Server by Couchbase

View all CVEs affecting Couchbase Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or deployment of malware/ransomware.

🟢

If Mitigated

No impact if endpoint is properly restricted or system is patched.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation possible if endpoint is exposed.
🏢 Internal Only: HIGH - Even internal attackers can exploit this without authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request to vulnerable endpoint can trigger exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.2.4 and later

Vendor Advisory: https://docs.couchbase.com/server/current/release-notes/relnotes.html

Restart Required: Yes

Instructions:

1. Backup Couchbase configuration and data. 2. Download and install Couchbase Server 7.2.4 or later. 3. Restart Couchbase services. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Restrict access to /diag/eval endpoint

linux

Block network access to the vulnerable diagnostic endpoint using firewall rules or network segmentation.

iptables -A INPUT -p tcp --dport 8091 -m string --string '/diag/eval' --algo bm -j DROP

Disable diagnostic endpoints

all

Configure Couchbase to disable diagnostic endpoints if not required.

curl -X POST -u Administrator:password http://localhost:8091/diag/eval -d 'ns_config:set(diag_eval_enabled, false).'

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Couchbase servers from untrusted networks.
  • Deploy web application firewall (WAF) rules to block requests containing '/diag/eval' in the URL path.

🔍 How to Verify

Check if Vulnerable:

Check Couchbase Server version and verify if /diag/eval endpoint responds to unauthenticated requests.

Check Version:

curl -s http://localhost:8091/pools | grep -o '"version":"[^"]*"'

Verify Fix Applied:

Confirm version is 7.2.4+ and test that /diag/eval endpoint rejects unauthenticated requests.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /diag/eval endpoint
  • Unusual process execution from Couchbase service account

Network Indicators:

  • HTTP POST requests to port 8091 with /diag/eval in URL
  • Unusual outbound connections from Couchbase server

SIEM Query:

source="couchbase.log" AND (url_path="/diag/eval" OR "diag_eval")

📊 Metadata

CVE ID: CVE-2023-49930
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: February 29, 2024
Last Updated: March 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49930, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)