CVE-2023-26268: 
Apache CouchDB vulnerability analysis and mitigation

CVE-2023-26268 is a security vulnerability affecting Apache CouchDB through version 3.3.1 and IBM Cloudant through version 8349. The vulnerability was discovered and disclosed on May 2, 2023. The issue involves design documents with matching document IDs from databases on the same cluster potentially sharing a mutable Javascript environment when using specific design document functions (CVE Details).

The vulnerability affects several design document functions including validatedocupdate, list, filter, filter views (using view functions as filters), rewrite, and update functions. Notably, this issue does not impact map/reduce or search (Dreyfus) index functions. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, while Apache Software Foundation rated it at 4.4 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could lead to information disclosure between different databases on the same cluster through shared JavaScript environments. This could potentially allow sensitive information to leak between different databases that should otherwise be isolated from each other (CouchDB Docs).

Users are recommended to upgrade to Apache CouchDB version 3.3.2 or 3.2.3, which addresses this vulnerability by matching Javascript execution processes by database names in addition to design document IDs. As a workaround, users should avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment (CouchDB Docs).