CRITICAL🇵🇱 Wersja polska

CVE-2023-49930

CVSS 9.8v3.1pub. 2024-02-29upd. 2025-03-28

An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.

🤖 AI Analysis
How it works

The /diag/eval endpoint in Couchbase Server enables execution of diagnostic code on the server. Due to insufficient restrictions on cURL calls directed to this endpoint, an attacker can send network requests without proper authentication or authorization. The vulnerability is classified as an access control issue (CWE-284), meaning that authorization verification mechanisms do not work as intended by security assumptions.

Impact

An attacker without any authentication, remotely over the network, can gain full control over the confidentiality, integrity, and availability of the system — corresponding to maximum CVSS scores in these categories.

Mitigation & patch

Couchbase Server should be updated to version 7.2.4 or newer. Detailed information is available in the official release notes from the vendor at docs.couchbase.com and on the security alerts page at couchbase.com/alerts/

Who is affected

Couchbase Server in all versions before 7.2.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Couchbase Server

    APP
    Couchbase
    7.1.5 – 7.2.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-49931CRITICAL9.8PL ✓ten sam produkt

Niewystarczające ograniczenia wywołań cURL w Couchbase Server (SQL++)

CVE-2022-32559CRITICAL9.1ten sam produkt

An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.

CVE-2021-35943CRITICAL9.8ten sam produkt

Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not ...

CVE-2020-24719CRITICAL9.8ten sam produkt

Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes ...

CVE-2020-9039CRITICAL9.8ten sam produkt

Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have In...