CVE-2022-42951: 
Couchbase vulnerability analysis and mitigation

An issue was discovered in Couchbase Server 6.5.x and 6.6.x before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2. During the start-up of a Couchbase Server node, there is a small window of time (before the cluster management authentication has started) where an attacker can connect to the cluster manager using default credentials. If an attacker connects during this period, they can execute arbitrary code remotely on any cluster node until their connection is dropped. The executed code will run with the same privileges as the Couchbase Server (CVE Details, Couchbase Alerts).

The vulnerability exists in the Erlang distribution protocol during node startup. During this period, the security cookie is set to "nocookie" which lacks access controls. This creates a critical security window where the cluster manager is vulnerable to unauthorized access (Couchbase Alerts). The vulnerability has been assigned a CVSS score of 9.8 (Critical), indicating the highest level of severity (Couchbase Alerts).

The vulnerability allows attackers to execute arbitrary code remotely on any cluster node with the same privileges as the Couchbase Server. This means an attacker could potentially gain complete control over the affected nodes and access or modify data stored in the database (Couchbase Alerts).

The issue has been fixed in Couchbase Server versions 7.1.2, 7.0.5, and 6.6.6. Users running affected versions should upgrade to these patched versions immediately to address the vulnerability (Couchbase Alerts).