Details
-
Bug
-
Resolution: Fixed
-
Critical
-
4.0.0, 4.1.2, 4.5.1, 4.6.5, 5.0.0, 5.0.1, 5.1.1, 5.5.0, 5.5.1
-
Security Level: Public
-
Untriaged
-
Unknown
-
CVE-2018-15728
-
High
Description
Publish date: October 2018
Issue Summary: /diag/eval endpoint is not locked down to localhost
CVSS/Severity: 8.8=High
Description: Couchbase Server exposes '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned can send arbitrary Erlang code to 'diag/eval' endpoint of the API. The code will be subsequently executed in the underlying operating system with privileges of the user which was used to start Couchbase.
Affected Products: Couchbase Server - Cluster Manager
Recognition: Apple Security Team
Limit diagnostic endpoints (at least everything like /diag/eval) to be used only from localhost only.
Note that this endpoint is authenticated and requires the highest privileges in the system (Full Admin.) So, it's already the case that a user that can access this endpoint can already steal / delete/ corrupt all the data in the system. Customers can mitigate this issue by tightly controlling access to full administrative privileges.