CVE-2017-12636

NameCVE-2017-12636
DescriptionCouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1252-1
NVD severityhigh (attack range: remote)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
couchdbsource(unstable)(unfixed)high
couchdbsourcewheezy1.2.0-5+deb7u1highDLA-1252-1

Notes

http://www.openwall.com/lists/oss-security/2017/11/14/6
Likely patch for 1.2.x: https://github.com/apache/couchdb/commit/9a28df7e9703a1a3420e7616c4d33a523ee06354
Possibly needs more updates: https://github.com/apache/couchdb/commit/bf6b6a1c84321baee2c4ad354059a45e0b8fdec7

Search for package or bug name: Reporting problems