CVE-2020-9039

Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.

Published: Feb 22, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-9039
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-276

Affected Software
References

Software	From	Fixed in
couchbase / couchbase_server	5.0.0	5.0.0.x
couchbase / couchbase_server	5.1.1	5.1.1.x
couchbase / couchbase_server	5.5.0	5.5.0.x
couchbase / couchbase_server	4.0.0	4.0.0.x
couchbase / couchbase_server	5.5.1	5.5.1.x
couchbase / couchbase_server	4.5.0	4.5.0.x
couchbase / couchbase_server	4.5.1	4.5.1.x
couchbase / couchbase_server	4.1.0	4.1.0.x
couchbase / couchbase_server	4.1.1	4.1.1.x
couchbase / couchbase_server	4.6.0	4.6.5.x

https://www.couchbase.com/resources/security#SecurityAlerts

Vulnerability Database

289,599

CVE-2020-9039