Apache CouchDB CVE-2018-17188: Remote Privilege Escalations

Date: 17.12.2018
Affected: All Versions of Apache CouchDB
Severity: Medium
Vendor: The Apache Software Foundation


Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of the database. In some cases, this lead to vulnerabilities where CouchDB admin users could access the underlying operating system as the CouchDB user. Together with other vulnerabilities, it allowed full system entry for unauthenticated users.

These vulnerabilities were fixed and disclosed in the following CVE reports:

Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, the CouchDB development team decided to make changes to avoid this entire class of vulnerabilities.

With CouchDB version 2.3.0, CouchDB no longer can configure key components at runtime. While some flexibility is needed for speciality configurations of CouchDB, the configuration was changed from being available at runtime to start-up time. And as such now requires shell access to the CouchDB server.

This closes all future paths for vulnerabilities of this type.


All users should upgrade to CouchDB 2.3.0.

Upgrades from previous 2.x versions in the same series should be seamless.

Users on earlier versions should consult with upgrade notes.


This issue was discovered by the Apple Information Security team.


Dear community,

Apache CouchDB 2.3.0 has been released and is available for download.

Update 2018-12-17: This Update includes a fix for CVE-2018-17188.

Apache CouchDB™ lets you access your data where you need it. The Couch Replication Protocol is implemented in a variety of projects and products that span every imaginable computing environment from globally distributed server-clusters, over mobile phones to web browsers.

Store your data safely, on your own servers, or with any leading cloud provider. Your web- and native applications love CouchDB, because it speaks JSON natively and supports binary data for all your data storage needs.

The Couch Replication Protocol lets your data flow seamlessly between server clusters to mobile phones and web browsers, enabling a compelling offline-first user-experience while maintaining high performance and strong reliability. CouchDB comes with a developer-friendly query language, and optionally MapReduce for simple, efficient, and comprehensive data retrieval.


Pre-built packages for Windows, macOS, Debian/Ubuntu and RHEL/CentOS are available.

CouchDB 2.3.0 is a feature release, and was originally published on 2018-12-06.

The community would like to thank all contributors for their part in making this release, from the smallest bug report or patch to major contributions in code, design, or marketing, we couldn’t have done it without you!

See the official release notes document for an exhaustive list of all changes:


Release Notes highlights:

  • (Multiple) Clustered purge is now available. This feature restores the CouchDB 1.x ability to completely remove any record of a document from a database. Conditions apply; to use the feature safely, and for full details, read the complete Clustered Purge documentation.

  • A new config setting is available, allowing an administrator to configure an initial list of nodes that should be contacted when a node boots up. Nodes in the seedlist that are successfully reached will be added to that node’s _nodes database automatically, triggering a distributed Erlang connection and replication of the internal system databases to the new node. This can be used instead of manual config or the cluster setup wizard to bootstrap a cluster. The progress of the initial seeding of new nodes is exposed at the GET /_up endpoint.

  • Replication supports ipv6-only peers.

  • The UUID of the server/cluster is once again exposed in the GET / response. This was a regression from CouchDB 1.x.

  • Stats counts between job runs of the replicator are no longer reset on job restart.

  • CouchDB’s _bulk_get implementation now supports the multipart/mixed and multipart/related content types if requested, extending compatibility with third-party replication clients.

  • CouchDB no longer forces the TCP receive buffer to a fixed size of 256KB, allowing the operating system to dynamically adjust the buffer size. This can lead to significantly improved network performance when transferring large attachments.

  • To improve security, there have been major changes in the configuration of query servers, SSL support, and HTTP global handlers. See the release notes for important upgrade information.

  • All python scripts shipped with CouchDB, including couchup and the dev/run development cluster script, now specify and require Python 3.x.

  • CouchDB is now compatible with Erlang 21.x.

  • The embedded version of rebar used to build CouchDB has been updated to the last version of rebar2 available. This assists in building on non-x86 platforms.

  • Plus many other performance improvements, bugfixes, and UI improvements!

On behalf of the CouchDB PMC,
Joan Touzet