couchbase server · threatengine.sh

Home/Product/couchbase server

Product

couchbase server

63 known vulnerabilities across versions

Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.

Sort Min CVSS Published since

>= 2.0.0 and < 7.2.7

A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allo

>= 7.6.0 and <= 7.6.3

An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user i

>= 2.0.0 and < 7.2.6

Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.

>= 6.0.0 and < 7.2.5

An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiate

>= 6.6.0 and < 7.1.5

An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached

Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.

>= 2.0.0 and < 7.2.4

An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverG

>= 7.1.5 and < 7.2.4

An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in encoded form in the diag.log f

>= 5.0.0 and < 7.2.4

An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL host restrictions.

>= 5.0.0 and < 7.2.4

An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.

>= 7.1.5 and < 7.2.4

An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.

>= 6.5.0 and < 7.2.4

An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (outage of reader threads).

>= 6.0.0 and < 7.2.4

An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Por

>= 4.0.0 and < 7.2.4

Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on

An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS se

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap c

>= 2.0.0 and < 7.1.5

Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.

An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 c

Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via

Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via

>= 6.6.0 and < 7.1.4

In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication.

>= 2.0.0 and < 6.6.6

Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor.

>= 6.5.0 and < 6.6.6

An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the sta

>= 7.0.0 and < 7.0.5

An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administr

>= 3.0.0 and < 7.1.1

An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes.

In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.

>= 6.5.0 and < 7.0.4

An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analy

>= 6.6.0 and < 7.0.4

An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to

>= 5.0.0 and < 6.6.5

An issue was discovered in Couchbase Server before 6.6.5 and 7.x before 7.0.4. Previous mitigations for CVE-2018-15728 were found

>= 4.0.0 and < 7.0.4

An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.

>= 4.0.0 and < 7.0.4

An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers.

>= 7.0.0 and < 7.1.0

An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids.

>= 7.0.0 and <= 7.0.4

An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission.

>= 5.0.0 and < 7.0.4

Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.

An issue was discovered in Couchbase Server before 7.0.4. In couchbase-cli, server-eshell leaks the Cluster Manager cookie.

>= 4.0.0 and < 7.0.4

An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings.

>= 6.6.0 and <= 6.6.3

An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure.

>= 6.6.0 and <= 6.6.3

Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.

>= 2.0.0 and < 7.1.0

Couchbase Server before 7.1.0 has Incorrect Access Control.

Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster ma

metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leak

>= 4.5.0 and <= 5.5.6

Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an att

>= 6.5.0 and <= 6.5.2

Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an atta

>= 6.5.0 and <= 6.5.2

Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using

>= 5.0.0 and < 6.5.2

An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator pri

>= 6.0.0 and < 6.6.2

An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in th

>= 6.5.0 and < 6.6.2

In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking

>= 6.5.0 and < 6.6.2

An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a c

>= 5.0.0 and <= 6.6.1

An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can resul

An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal us

>= 6.5.1 and < 6.6.0

Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchangin

In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their b

In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search end

>= 4.6.0 and <= 4.6.5

Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions f

In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not

In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access w

In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:n

In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries co

In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not req

>= 5.5.0 and <= 5.5.3

An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a

Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Optio

Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin