Arbitrary Code Injection

Affecting pouchdb package, versions <=6.0.4

Do your applications use this vulnerable package? Test your applications

Overview

pouchDB is an open-source JavaScript database inspired by Apache CouchDB that is designed to run well within the browser.

Vulnerable versions of the package had the evalView function in pouchdb-core to execute the view function without a sandbox. The fix was introduced in version 6.0.5, executing the view function in a sandbox and enforcing strict mode when running in Node.js.

The vulnerability was reported by micaksica.

Remediation

Upgrade pouchDB to version 6.0.5 or later.

References

CVSS Score

10.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Credit
micaksica
CVE
CVE-2016-10546
CWE
CWE-94
Snyk ID
npm:pouchdb:20160830
Disclosed
30 Aug, 2016
Published
17 Oct, 2016