Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2022-24706

Disclosure Date: April 26, 2022 •

CVE-2022-24706 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by mkienow-r7 and 1 more...
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/multi/http/apache_couchdb_erlang_rce

Description

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

apache

Products

couchdb

Metasploit Modules

exploit/multi/http/apache_couchdb_erlang_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_couchdb_erlang_rce.rb)

Exploited in the Wild

Reported by:

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: August 25, 2022 7:42pm UTC (2 years ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/08/25/cisa-adds-ten-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:24am UTC (2 weeks ago)

References

Canonical

CVE-2022-24706 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24706)

Advisory

https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00

[oss-security] 20220426 CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging (http://www.openwall.com/lists/oss-security/2022/04/26/1)

[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging (http://www.openwall.com/lists/oss-security/2022/05/09/1)

[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging (http://www.openwall.com/lists/oss-security/2022/05/09/3)

[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging (http://www.openwall.com/lists/oss-security/2022/05/09/4)

[oss-security] 20220509 Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging (http://www.openwall.com/lists/oss-security/2022/05/09/2)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2022-24706-CouchDB-Exploit (https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit) (Added by AKB Worker)

Miscellaneous

http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html

https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-settings-b1e9173a4bcd

http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code-Execution.html

Rapid7

Unknown

CVE-2022-24706

Unknown

Unknown

None

None

Network

CVE-2022-24706

Description