Information disclosure in Apache Couchdb

CVE-2010-0009

Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain sensitive information by measuring the completion time of operations that verify (1) hashes or (2) passwords.

Vulnerability class: Information Disclosure

EPSS: 0.015 (81.5th percentile) — read the EPSS interpretation.

Affected products

Apache Couchdb — versions 0.10.0, 0.9.1, 0.8.0
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

20100331 [SECURITY] CVE-2008-2370: Apache CouchDB Timing Attack Vulnerability (mailing-list, x_refsource_BUGTRAQ)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Vendor Advisory)
39146 (x_refsource_SECUNIA, Vendor Advisory, third-party-advisory)
63350 (x_refsource_OSVDB, vdb-entry)
20100331 [SECURITY] CVE-2008-2370: Apache CouchDB Timing Attack Vulnerability (mailing-list, x_refsource_BUGTRAQ)
39116 (vdb-entry, x_refsource_BID)
secalert@redhat.com (x_refsource_CONFIRM)