CVE-2022-32192: 
Couchbase vulnerability analysis and mitigation

Couchbase Server 5.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor. The couchbase-cli spawns a very short-lived erlang process that has the master password as a process argument, meaning that if anyone gets the process list at that time they will have the master password. This only affects Couchbase Server clusters utilizing the Secrets Management feature (NVD, Couchbase Alerts).

The vulnerability stems from a process management issue where the couchbase-cli tool exposes sensitive information through command-line arguments. Specifically, when spawning a short-lived erlang process, the master password for Secrets Management is passed as a process argument, making it temporarily visible in the process list (Couchbase Alerts). The vulnerability has been assigned a CVSS score of 5.5 (Medium severity) (NVD).

The vulnerability exposes the Secrets Management master password to potential attackers who can view the process list during the brief window when the erlang process is running. This could lead to unauthorized access to sensitive information managed by the Secrets Management feature (Couchbase Alerts).

The vulnerability has been fixed in Couchbase Server versions 7.0.4 and 6.6.6. Users running affected versions should upgrade to these patched versions or later to resolve the issue (Couchbase Alerts).