CVE-2022-33911: 
Couchbase vulnerability analysis and mitigation

An issue was discovered in Couchbase Server 7.x before 7.0.4. Field names are not redacted in logged validation messages for Analytics Service. When creating secondary indexes with the Analytics Service, validation messages containing error codes ASX0013 and ASX1079 include unredacted field names that could expose sensitive information to unauthorized actors (NVD).

The vulnerability affects the Analytics Service component when creating secondary indexes. The issue specifically involves error messages with codes ASX0013 (used for reporting duplicate field names) and ASX1079, where field names in validation messages are logged without proper redaction. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) (NVD).

An unauthorized actor may be able to obtain sensitive information through the unredacted field names in logged validation messages. This could potentially expose internal data structure details or sensitive field names that were meant to remain private (Couchbase Alerts).

The vulnerability has been fixed in Couchbase Server version 7.0.4 and 6.6.6. Users should upgrade to these or later versions to address the issue (Couchbase Alerts).