Cyber Resilience

CVE-2022-24706

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 April 2022

Published
26 April 2022
Modified
28 October 2025
KEV Added
25 August 2022
Patch
09 May 2022
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9438 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24706 is a critical-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Apache Couchdb. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

Apache CouchDB versions prior to 3.2.2 contain an insecure default configuration (CWE-1188) that permits unauthenticated network access to the database. The flaw allows any remote party to reach administrative functions on installations that have not applied additional hardening steps, despite longstanding CouchDB documentation that explicitly recommends placing a firewall in front of every instance. The issue carries a CVSS 3.1 base score of 9.8.

An attacker with network connectivity to an exposed, unpatched CouchDB server can obtain full administrative privileges without supplying credentials. Public exploit code demonstrates that this access path can be leveraged for remote code execution, enabling arbitrary command execution on the underlying host.

Official notices and subsequent OSS-Security postings direct users to upgrade to CouchDB 3.2.2 or later and to enforce the previously documented network controls. Multiple working remote-code-execution exploits have been published, and the vulnerability maintains an EPSS score above 0.94, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front…

more

of all CouchDB installations.

CWE(s)
KEV Date Added
25 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
couchdb
≤ 3.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements the documented requirement to place a network firewall in front of every CouchDB installation so the service is never reachable without authentication.

prevent

Enforces authentication and authorization decisions on every request to the CouchDB HTTP interface, blocking the unauthenticated admin-privilege path described in the CVE.

prevent

Requires unique identification and authentication of users before granting access to the database, eliminating the default unauthenticated administrative entry point.

References