atom feed1 message in org.apache.couchdb.userCVE-2012-5649 Apache CouchDB JSONP ar...
FromSent OnAttachments
Jan LehnardtJan 14, 2013 2:05 am 
Subject:CVE-2012-5649 Apache CouchDB JSONP arbitrary code execution with Adobe Flash
From:Jan Lehnardt (
Date:Jan 14, 2013 2:05:56 am


JSONP arbitrary code execution with Adobe Flash

Severity: Moderate

Vendor: The Apache Software Foundation

Affected Versions: JSONP is supported but disabled by default in all currently supported releases of Apache CouchDB. Administrator access is required to enable it. Releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable, if administrators have enabled JSONP.

Description: A hand-crafted JSONP callback and response can be used to run arbitrary code inside client-side browsers via Adobe Flash.

Mitigation: Upgrade to a supported release that includes this fix, such as CouchDB 1.0.4, 1.1.2, 1.2.1, and the future 1.3.x series, all of which include a specific fix.

Work-Around: Disable JSONP.