Dec. 5, 2023, 7:40 p.m.

Neighbourhoodie CouchDB News Special Edition: Apache CouchDB CVE: 2023-45725 Guidance

Neighbourhoodie’s Newsletter

nh_logo_for_buttondown_email_headers.png

Dear Neighbourhoodie Customer (current or former) or Newsletter subscriber,

You are receiving this email because the just released CouchDB 3.3.3 includes a fix for CVE-2023-45725. The exact details of this vulnerability are going to be released in seven days.

As Neighbourhoodie customers, you benefit from our assessment prior to the release. In general, we recommend everyone upgrade to the latest version, but this detailed assessment helps you to decide how urgent this upgrade is for you.

Without going into any details, the two prerequisites for this vulnerability to work are:

  1. Your setup must allow malicious non-admin users to upload or replicate design docs into a CouchDB database.
  2. An admin must be tricked into clicking on a specific link that leads to loading an attachment from said design doc into the browser session of the CouchDB admin.

This is a rare circumstance and while we do not want to downplay the possibility of this issue being exploited, we believe its severity is very low.

Contact

If you have any questions or feedback about any of this and you are under a Neighbourhoodie CouchDB Support contract, you can always get in touch at couchdb@neighbourhood.ie.

If you are interested in signing up for a Neighbourhoodie CouchDB Support contract, contact sales@neighbourhood.ie.

Best
Your Neighbourhoodie CouchDB Team
—

You just read issue #4 of Neighbourhoodie’s Newsletter. You can also browse the full archives of this newsletter.

GitHub LinkedIn