Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-2102

Admin auth credentials not verified when using x.509 auth between SG and CBS

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • 3.1.0
    • 3.0.0
    • SyncGateway
    • Security Level: Public
    • 1
    • CVE-2022-32563
    • Critical

    Description

      When x.509 authentication is being used between Sync Gateway and Couchbase Server, the x.509 certs are being included in the tlsConfig for the request made to CBS to authenticate Admin REST API access (in addition to the basic auth credentials provided).  Couchbase Server authenticates based on the x.509 certs and ignores the basic auth.  

      The result is that admin auth credentials are not being used, and any credentials can be used to access Sync Gateway's Admin REST API when x.509 is used between SG and CBS.

      Attachments

        Activity

          People

            The One The One
            ben.brooks Ben Brooks
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              PagerDuty