CVE-2022-32558: 
Couchbase vulnerability analysis and mitigation

An issue was discovered in Couchbase Server before 7.0.4 where sample bucket loading may leak internal user passwords during a failure. The vulnerability was discovered and disclosed in June 2022, affecting multiple versions of Couchbase Server including 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.6.5, 6.6.4, 6.6.3, 6.6.2, 6.6.1, and 6.6.0 (Couchbase Alerts).

The vulnerability occurs when there is a failure during the loading of sample buckets (beer-sample, gamesim-sample, travel-sample). During such failures, the password for the internal @nsserver admin user may be leaked into various log files including debug.log, error.log, info.log, and reports.log. The @nsserver account has administrative privileges and can be used to perform administrative actions. The vulnerability has been assigned a CVSS score of 6.4, indicating medium severity (Couchbase Alerts).

The main impact of this vulnerability is the potential exposure of administrative credentials. If an attacker gains access to the log files during a sample bucket loading failure, they could obtain the password for the internal @ns_server admin user. Since this account has administrative privileges, a compromised password could allow unauthorized administrative access to the Couchbase Server (Couchbase Alerts).

The vulnerability has been fixed in Couchbase Server versions 7.0.4 and 6.6.6. Users running affected versions should upgrade to these or later versions to address the vulnerability (Couchbase Alerts).