CVE-2023-28470: 
Couchbase vulnerability analysis and mitigation

In Couchbase Server versions 5 through 7 before 7.1.4, the nsstats endpoint is accessible without authentication. This vulnerability, identified as CVE-2023-28470, allows unauthorized users to view the names of Couchbase Server buckets, FTS indexes, and their configurations, though the actual contents of buckets and indexes remain protected (NVD, Couchbase Alerts).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue specifically affects the Full Text Search (FTS) service's /api/nsstats endpoint, which failed to implement proper authentication controls. This vulnerability is classified as CWE-306: Missing Authentication for Critical Function (NVD).

The vulnerability exposes sensitive configuration information, allowing unauthorized users to view the names of Couchbase Server buckets, Full Text Search (FTS) indexes, and their configurations. However, the actual contents of the buckets and indexes remain protected from unauthorized access (Couchbase Alerts).

The vulnerability has been fixed in Couchbase Server version 7.1.4. Users are advised to upgrade to this version or later to address the security issue. No temporary workarounds have been publicly documented (Release Notes).