Details of VAR-202206-0884

ID

VAR-202206-0884

CVE

CVE-2022-32563

TITLE

Couchbase, Inc. of Sync Gateway Certificate validation vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2022-011273

DESCRIPTION

An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue. A workaround is to replace X.509 certificate based authentication with Username and Password authentication inside the bootstrap configuration. Couchbase, Inc. of Sync Gateway Exists in a certificate validation vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2022-32563 // JVNDB: JVNDB-2022-011273 // VULHUB: VHN-424651 // VULMON: CVE-2022-32563

AFFECTED PRODUCTS

vendor:	couchbase	model:	sync gateway	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	couchbase	model:	sync gateway	scope:	lt	version:	3.0.2	Trust: 1.0
vendor:	couchbase	model:	sync gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	couchbase	model:	sync gateway	scope:	eq	version:	3.0.0 that's all 3.0.2	Trust: 0.8
vendor:	couchbase	model:	sync gateway	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-011273 // NVD: CVE-2022-32563

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-32563
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2022-32563
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202206-1008
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-424651
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-32563
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-32563
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-424651
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-32563
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-32563
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-424651 // VULMON: CVE-2022-32563 // JVNDB: JVNDB-2022-011273 // CNNVD: CNNVD-202206-1008 // NVD: CVE-2022-32563

PROBLEMTYPE DATA

problemtype:	CWE-295	Trust: 1.1
problemtype:	Illegal certificate verification (CWE-295) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-424651 // JVNDB: JVNDB-2022-011273 // NVD: CVE-2022-32563

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-1008

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202206-1008

PATCH

title:

Couchbase Sync Gateway Repair measures for trust management problem vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=196737

Trust: 0.6

sources: CNNVD: CNNVD-202206-1008

EXTERNAL IDS

db:	NVD	id:	CVE-2022-32563	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-011273	Trust: 0.8
db:	CNNVD	id:	CNNVD-202206-1008	Trust: 0.6
db:	VULHUB	id:	VHN-424651	Trust: 0.1
db:	VULMON	id:	CVE-2022-32563	Trust: 0.1

sources: VULHUB: VHN-424651 // VULMON: CVE-2022-32563 // JVNDB: JVNDB-2022-011273 // CNNVD: CNNVD-202206-1008 // NVD: CVE-2022-32563

REFERENCES

url:	https://forums.couchbase.com/tags/security	Trust: 2.6
url:	https://www.couchbase.com/alerts	Trust: 2.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32563	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-32563/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/295.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-424651 // VULMON: CVE-2022-32563 // JVNDB: JVNDB-2022-011273 // CNNVD: CNNVD-202206-1008 // NVD: CVE-2022-32563

SOURCES

db:	VULHUB	id:	VHN-424651
db:	VULMON	id:	CVE-2022-32563
db:	JVNDB	id:	JVNDB-2022-011273
db:	CNNVD	id:	CNNVD-202206-1008
db:	NVD	id:	CVE-2022-32563

LAST UPDATE DATE

2024-11-23T22:43:54.867000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-424651	date:	2022-06-17T00:00:00
db:	VULMON	id:	CVE-2022-32563	date:	2022-06-17T00:00:00
db:	JVNDB	id:	JVNDB-2022-011273	date:	2023-08-21T08:18:00
db:	CNNVD	id:	CNNVD-202206-1008	date:	2022-06-20T00:00:00
db:	NVD	id:	CVE-2022-32563	date:	2024-11-21T07:06:38.683

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-424651	date:	2022-06-10T00:00:00
db:	VULMON	id:	CVE-2022-32563	date:	2022-06-10T00:00:00
db:	JVNDB	id:	JVNDB-2022-011273	date:	2023-08-21T00:00:00
db:	CNNVD	id:	CNNVD-202206-1008	date:	2022-06-10T00:00:00
db:	NVD	id:	CVE-2022-32563	date:	2022-06-10T12:15:07.927