Two vulnerabilities were disclosed on CouchDB, one allowing to remotely create admin users (CVE 2017-12635) and the other allowing to execute commands through admin users (CVE 2017-12636).
We recommend to upgrade CouchDB to the latest version supported for Faraday (1.7.1) and review your security configuration using our guide:
https://github.com/infobyte/faraday/wiki/Security
Because an old vulnerability/feature of CouchDB we already recommend to filter using actions "config_whitelist = []"https://github.com/infobyte/faraday/wiki/Security#couchdb-rce-authenticated this is a workaround that help only for the vulnerability (CVE 2017-12636)
More information:
https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635
We recommend to upgrade CouchDB to the latest version supported for Faraday (1.7.1) and review your security configuration using our guide:
https://github.com/infobyte/faraday/wiki/Security
Because an old vulnerability/feature of CouchDB we already recommend to filter using actions "config_whitelist = []"https://github.com/infobyte/faraday/wiki/Security#couchdb-rce-authenticated this is a workaround that help only for the vulnerability (CVE 2017-12636)
More information:
https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635