📦 Couchbase Server

CVE-2023-49930 is an improper access control vulnerability in Couchbase Server that allows unauthenticated attackers to execute arbitrary code via cURL calls to the /diag/eval endpoint. This affects a...

CVE-2021-35943 allows externally managed users in Couchbase Server to authenticate with empty passwords, violating RFC4513 authentication requirements. This affects Couchbase Server versions 6.5.x and...

CVE-2020-24719 is a critical vulnerability in Couchbase Server where the Erlang magic cookie (authentication secret) can be exposed in logs. Attackers who obtain this cookie can connect to Erlang node...

Unauthenticated attackers can send large commands to Couchbase Server's memcached component, causing memory exhaustion and denial of service. This affects Couchbase Server versions 6.6.x through 7.2.0...

CVE-2023-50437 exposes sensitive authentication cookies (otpCookie) to administrators through specific API endpoints in Couchbase Server. This allows administrators to potentially escalate privileges ...

Couchbase Server 7.1.x and 7.2.x before 7.2.4 exposes sensitive admin statistics and vitals endpoints without authentication on localhost port 8093. This allows any local user or process to access det...

This vulnerability allows a remote attacker to exploit heap corruption in Google Chrome's V8 JavaScript engine via a crafted HTML page. Attackers could potentially execute arbitrary code or cause deni...

CVE-2023-36667 is a directory traversal vulnerability in Couchbase Server that allows attackers to access files outside the intended directory. This affects Couchbase Server versions 7.1.4 before 7.1....

CVE-2023-45875 is a private key leak vulnerability in Couchbase Server 7.2.0 where sensitive cryptographic keys are exposed in debug.log files when adding pre-7.0 nodes to a 7.2 cluster. This affects ...

This vulnerability is a type confusion flaw in Chrome's V8 JavaScript engine that allows a remote attacker to trigger heap corruption by tricking the engine into misinterpreting data types. Attackers ...

This vulnerability is a type confusion flaw in Chrome's V8 JavaScript engine that could allow a remote attacker to execute arbitrary code or cause heap corruption by tricking a user into visiting a ma...

CVE-2022-42951 is an authentication bypass vulnerability in Couchbase Server that allows attackers to connect to the cluster manager using default credentials during a brief startup window before auth...

Couchbase Server versions before 6.6.6, 7.0.5, and 7.1.2 expose sensitive information to unauthorized actors. This vulnerability allows attackers to access confidential data without proper authenticat...

CVE-2022-32556 is a sensitive information disclosure vulnerability in Couchbase Server where private keys are written to log files during certain crash scenarios. This affects all Couchbase Server dep...

CVE-2022-33173 is an algorithm-downgrade vulnerability in Couchbase Server Analytics Remote Links that temporarily downgrades to non-TLS connections during TLS port discovery, using SCRAM-SHA authenti...

Couchbase Server versions 5.x through 7.x before 7.0.4 expose sensitive information to unauthorized actors. This information disclosure vulnerability allows attackers to access data they shouldn't hav...

CVE-2022-32565 is an information disclosure vulnerability in Couchbase Server where the Backup Service logs contain unredacted usernames and document IDs. This affects organizations running Couchbase ...

CVE-2022-32564 is an information disclosure vulnerability in Couchbase Server's couchbase-cli tool where the server-eshell command leaks the Cluster Manager authentication cookie. This allows attacker...

CVE-2022-32558 is a vulnerability in Couchbase Server where sample bucket loading failures can expose internal user passwords. This affects Couchbase Server administrators and users with access to err...

CVE-2021-37842 is a cleartext storage vulnerability in Couchbase Server 7.0.0 where sensitive XDCR (Cross Data Center Replication) credentials can be leaked in debug logs. This occurs when config keys...

CVE-2021-35945 is a buffer overflow vulnerability in Couchbase Server's memcached component that allows remote attackers to crash the service via specially crafted network packets. This affects Couchb...

CVE-2021-25644 is an information disclosure vulnerability in Couchbase Server where incorrect REST API commands cause authentication credentials to be logged in cleartext in debug.log and info.log fil...

This vulnerability allows users with the security_admin_local role in Couchbase Server to create new users with admin privileges, bypassing intended role separation. It affects Couchbase Server 7.6.x ...

CVE-2024-37034 is an authentication bypass vulnerability in Couchbase Server where credentials may not be properly negotiated with SCRAM-SHA encryption when remote link encryption is configured for Ha...

Couchbase Server versions 5 through 7.1.3 expose the nsstats endpoint without requiring authentication. This allows unauthenticated attackers to access server statistics and potentially gather informa...