Couchbase Couchbase Server — known CVE vulnerabilities
Every CVE whose affected-product data names Couchbase Couchbase Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (63)
CVE-2020-24719 — CVSS 9.8 (critical): Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a…
CVE-2020-9039 — CVSS 9.8 (critical): Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the…
CVE-2023-49930 — CVSS 9.8 (critical): An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.
CVE-2019-11495 — CVSS 9.8 (critical): In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to…
CVE-2023-49931 — CVSS 9.8 (critical): An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.
CVE-2021-35943 — CVSS 9.8 (critical): Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty…
CVE-2019-11496 — CVSS 9.1 (critical): In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without…
CVE-2022-32562 — CVSS 8.8 (high): An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission.
CVE-2018-15728 — CVSS 8.8 (high): Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that…
CVE-2020-9042 — CVSS 8.8 (high): In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to…
CVE-2023-50437 — CVSS 8.6 (high): An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and…
CVE-2022-42951 — CVSS 8.1 (high): An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of…
CVE-2025-46619 — CVSS 7.6 (high): A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow…
CVE-2019-11497 — CVSS 7.5 (high): In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate was entered as part of the reference creation, XDCR did not parse and…
CVE-2019-11467 — CVSS 7.5 (high): In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the entries to be indexed using collatejson. When index entries contain…
CVE-2020-9041 — CVSS 7.5 (high): In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints…
CVE-2021-25644 — CVSS 7.5 (high): An issue was discovered in Couchbase Server 5.x and 6.x through 6.6.1 and 7.0.0 Beta. Incorrect commands to the REST API can result in…
CVE-2021-35944 — CVSS 7.5 (high): Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can…
CVE-2021-35945 — CVSS 7.5 (high): Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can…
CVE-2021-37842 — CVSS 7.5 (high): metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in…
CVE-2021-42763 — CVSS 7.5 (high): Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager…
CVE-2022-32192 — CVSS 7.5 (high): Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.
CVE-2022-32556 — CVSS 7.5 (high): An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes.
CVE-2022-32557 — CVSS 7.5 (high): An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers.
CVE-2022-32558 — CVSS 7.5 (high): An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure.
CVE-2022-32560 — CVSS 7.5 (high): An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings.
CVE-2022-32564 — CVSS 7.5 (high): An issue was discovered in Couchbase Server before 7.0.4. In couchbase-cli, server-eshell leaks the Cluster Manager cookie.
CVE-2022-32565 — CVSS 7.5 (high): An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids.
CVE-2022-33173 — CVSS 7.5 (high): An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS…
CVE-2023-25016 — CVSS 7.5 (high): Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor.
CVE-2023-43768 — CVSS 7.5 (high): An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run…
CVE-2023-45875 — CVSS 7.5 (high): An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster.
CVE-2023-49338 — CVSS 7.5 (high): Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port…
CVE-2023-50782 — CVSS 7.5 (high): A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers…
CVE-2022-32193 — CVSS 6.5 (medium): Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.
CVE-2021-31158 — CVSS 6.5 (medium): In the Query Engine in Couchbase Server 6.5.x and 6.6.x through 6.6.1, Common Table Expression queries were not correctly checking the…
CVE-2024-56178 — CVSS 6.5 (medium): An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group…
CVE-2023-45873 — CVSS 6.5 (medium): An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the…
CVE-2023-43769 — CVSS 6.3 (medium): An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Ports…
CVE-2024-25673 — CVSS 6.1 (medium): Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.
CVE-2019-11464 — CVSS 6.1 (medium): Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and…
CVE-2022-34826 — CVSS 5.9 (medium): In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.
CVE-2021-27924 — CVSS 5.9 (medium): An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs…
CVE-2024-37034 — CVSS 5.9 (medium): An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with…
CVE-2023-49932 — CVSS 5.4 (medium): An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL host restrictions.
CVE-2023-28470 — CVSS 5.3 (medium): In Couchbase Server 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication.
CVE-2022-33911 — CVSS 5.3 (medium): An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics…
CVE-2023-50436 — CVSS 5.3 (medium): An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in encoded form in the diag.log file. The…
CVE-2019-11466 — CVSS 5.3 (medium): In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes system diagnostic profile via an HTTP endpoint that does not require…
CVE-2019-11465 — CVSS 5.3 (medium): An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a…
CVE-2022-42950 — CVSS 4.9 (medium): An issue was discovered in Couchbase Server 7.x before 7.0.5 and 7.1.x before 7.1.2. A crafted HTTP REST request from an administrator…
CVE-2021-25643 — CVSS 4.9 (medium): An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges…
CVE-2022-32561 — CVSS 4.9 (medium): An issue was discovered in Couchbase Server before 6.6.5 and 7.x before 7.0.4. Previous mitigations for CVE-2018-15728 were found to be…
CVE-2021-25645 — CVSS 4.4 (medium): An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with…
CVE-2021-27925 — CVSS 4.4 (medium): An issue was discovered in Couchbase Server 6.5.x and 6.6.x through 6.6.1. When using the View Engine and Auditing is enabled, a crash…
CVE-2023-45874 — CVSS 4.3 (medium): An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (outage of reader threads).