CVE-2021-38295: 
Apache CouchDB vulnerability analysis and mitigation

Apache CouchDB (CVE-2021-38295) is a privilege escalation vulnerability discovered in versions prior to 3.1.2. The vulnerability was disclosed on October 12, 2021, affecting the CouchDB admin interface Fauxton and the deprecated show and list functionality (Vendor Advisory, NVD).

The vulnerability allows a malicious user with document creation permissions to attach HTML content to a database document. When a CouchDB admin opens this attachment through the Fauxton interface, any embedded JavaScript code executes within the admin's security context. The vulnerability received a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability enables attackers to escalate their privileges, allowing them to add or remove data in any database and make configuration changes to the system. The attack requires user interaction, specifically requiring a CouchDB admin to open the malicious attachment (Vendor Advisory).

The issue was addressed in CouchDB 3.2.0 and later versions by implementing Content-Security-Policy headers for all attachment, show, and list requests. For version 3.1.2, while defaulting to previous behavior, configuration options were added to enable Content-Security-Policy headers for affected requests. For installations that require the previous behavior, configuration options are available to restore it (Vendor Advisory).