RCE in Apache Couchdb

CVE-2012-5649

Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash.

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.018 (83.3th percentile) — read the EPSS interpretation.

Affected products

Apache Couchdb — versions 1.0.0, 1.0.1, 1.0.2
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

References

57314 (vdb-entry, x_refsource_BID)
51765 (x_refsource_SECUNIA, third-party-advisory)
20130114 CVE-2012-5649 Apache CouchDB JSONP arbitrary code execution with Adobe Flash (mailing-list, x_refsource_BUGTRAQ)
FEDORA-2013-1387 (x_refsource_FEDORA, vendor-advisory)
FEDORA-2013-1375 (x_refsource_FEDORA, vendor-advisory)
MDVSA-2013:067 (vendor-advisory, x_refsource_MANDRIVA)