Apache CouchDB 1.7.0/2.x < 2.1.1 Remote Code Execution (CVE-2017-12636)
Overview
Apache CouchDB 1.7.0/2.x < 2.1.1 Remote Code Execution, tracked as CVE-2017-12636, affects vulnerable Apache CouchDB deployments. CouchDB is a document-oriented database exposed through HTTP APIs, and administrative configuration access can control behavior that reaches operating system-level binaries.
Vulnerability Overview
CVE-2017-12636 allows a CouchDB administrative user to configure paths for operating system-level binaries that CouchDB later launches. If those paths are set to attacker-controlled commands or scripts, CouchDB can be made to execute arbitrary shell commands as the CouchDB service user.
The issue is important because CouchDB configuration can be changed over HTTP(S) by administrative users. In combination with weak administrative controls, exposed management APIs, or related privilege escalation issues, configuration functionality can become a command execution path.
Impact
CVE-2017-12636 has a CVSS 3.0 score of 7.2 and is rated High. The score reflects network reachability, low attack complexity, high privileges required, no user interaction, and high confidentiality, integrity, and availability impact.
Successful exploitation can allow command execution as the CouchDB user, access to database files, modification of data, execution of downloaded scripts, persistence through configuration abuse, or lateral movement from the database host.
Vulnerability Scope
CVE-2017-12636 affects Apache CouchDB before 1.7.0 and Apache CouchDB 2.x before 2.1.1. CVE.org lists affected branches as 1.2.0 through 1.6.1 and 2.0.0 through 2.1.0.
The highest-risk exposure is a CouchDB instance where administrative access is reachable over the network, credentials are weak or compromised, or another issue grants administrative privileges. This vulnerability should be evaluated together with CouchDB access control and exposed management API posture.
Lab Focus
This lab focuses on understanding how administrative configuration features can become command execution paths when they control operating system-level executables. The goal is to practice evaluating database management APIs, privilege requirements, and the difference between unauthenticated RCE and admin-context RCE.