Couchbase Server
CVE-2019-11465
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted.
AnalysisAI
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-532. An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted. Affected products include: Couchbase Couchbase Server. Version information: through 5.5.3.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Couchbase Server
View allExposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Rated critical severity (CVSS 9.8), this vuln
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Per
Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corr
Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Rated hig
Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Rated critical severity (CVSS 9.8), this vu
In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Rated critical sever
An issue was discovered in Couchbase Server before 7.0.4. Rated critical severity (CVSS 9.1), this vulnerability is remo
In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and writ
Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corr
An issue was discovered in Couchbase Server before 7.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely
In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has us
A flaw was found in the python-cryptography package. Rated high severity (CVSS 7.5), this vulnerability is remotely expl
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today