CVE-2022-24706
Published: 26 April 2022
Summary
CVE-2022-24706 is a critical-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Apache Couchdb. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
Apache CouchDB versions prior to 3.2.2 contain an insecure default configuration (CWE-1188) that permits unauthenticated network access to the database. The flaw allows any remote party to reach administrative functions on installations that have not applied additional hardening steps, despite longstanding CouchDB documentation that explicitly recommends placing a firewall in front of every instance. The issue carries a CVSS 3.1 base score of 9.8.
An attacker with network connectivity to an exposed, unpatched CouchDB server can obtain full administrative privileges without supplying credentials. Public exploit code demonstrates that this access path can be leveraged for remote code execution, enabling arbitrary command execution on the underlying host.
Official notices and subsequent OSS-Security postings direct users to upgrade to CouchDB 3.2.2 or later and to enforce the previously documented network controls. Multiple working remote-code-execution exploits have been published, and the vulnerability maintains an EPSS score above 0.94, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29572
Vulnerability details
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front…
more
of all CouchDB installations.
- CWE(s)
- KEV Date Added
- 25 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements the documented requirement to place a network firewall in front of every CouchDB installation so the service is never reachable without authentication.
Enforces authentication and authorization decisions on every request to the CouchDB HTTP interface, blocking the unauthenticated admin-privilege path described in the CVE.
Requires unique identification and authentication of users before granting access to the database, eliminating the default unauthenticated administrative entry point.