id: CVE-2020-9039
info:
  name: Couchbase Server - Broken Access Control
  author: pussycat0x
  severity: critical
  description: |
    Couchbase Server versions 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0-4.6.5, 5.0.0, 5.1.1, 5.5.0, and 5.5.1 contain insecure permissions for the projector and indexer REST endpoints caused by unauthenticated access, letting attackers access administrative APIs without authentication, exploit requires no special conditions.
  impact:
    Attackers can access and modify administrative settings, potentially leading to data tampering or system compromise.
  remediation:
    Update to the latest version where the /settings REST endpoint requires authentication.
  reference:
    - https://docs.couchbase.com/server/current/index-rest-settings/index.html#Settings
  metadata:
    max-request: 2
    verified: false
    shodan-query: html:"Couchbase"
  tags: cve,cve2020,couchbase,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/settings"
      - "{{BaseURL}}/indexer/settings"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(body, 'indexer.settings','projector.settings','max_seckey_size')"
        condition: and
# digest: 4b0a00483046022100da7adbd98d63ca28f47de38fd4542da9bc32d6ca0ac75d2e05b03fa2b3cd2c11022100f007afe0c6ed9729ea6532e49b58a40a6e82707c79fe1f12952feb7ec068d5dc:922c64590222798bb761d5b6d8e72950