CouchDB REST API publicly accessible
Description
Apache CouchDB is an open-source NoSQL database that uses a document-oriented architecture and provides a RESTful HTTP API for all database operations.
This vulnerability occurs when CouchDB's REST API is exposed to the internet without proper authentication controls. By default, CouchDB installations may allow unauthenticated access to administrative functions and database operations, which is insecure for production environments. This misconfiguration enables any remote user to interact with the database without credentials.
Remediation
Implement the following security controls to protect the CouchDB REST API:
1. Enable authentication: Configure CouchDB to require authentication by setting up admin users in the local.ini configuration file:
[admins] admin_username = secure_password
2. Restrict network access: Configure firewall rules to block external access to CouchDB ports (default 5984/5986). Only allow connections from trusted IP addresses or internal networks.
3. Bind to localhost: If CouchDB only needs to serve local applications, configure it to listen only on localhost by setting
bind_address = 127.0.0.1 in the configuration file.4. Use a reverse proxy: Place CouchDB behind a reverse proxy (such as nginx or Apache) with proper authentication and SSL/TLS encryption enabled.
5. Review permissions: Ensure database-level permissions are properly configured to follow the principle of least privilege.