CVE-2023-45725: 
Apache CouchDB vulnerability analysis and mitigation

CVE-2023-45725 is a security vulnerability affecting Apache CouchDB versions 3.3.2 and below, discovered and disclosed on December 12, 2023. The vulnerability involves design document functions that receive user HTTP request objects potentially exposing authorization or session cookie headers of users who access the document. The affected design document functions include list, show, rewrite, and update functions (CouchDB Docs).

The vulnerability allows an attacker to leak session components through multiple methods: using HTML-like output, inserting the session as an external resource (such as an image), or storing credentials in a _local document with an 'update' function. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability can lead to privilege escalation when an attacker successfully inserts malicious design documents into the database and manipulates a user to access a function from that design document. This could result in the exposure of sensitive authentication credentials and session information (CouchDB Docs).

The vulnerability has been fixed in CouchDB version 3.3.3, which scrubs sensitive headers from HTTP request objects passed to the query server execution environment. For older versions, a patch to the loop.js file is available. As a workaround, users are advised to avoid using design documents from untrusted sources which may attempt to access or manipulate request object's headers (CouchDB Docs).

The vulnerability was independently discovered by multiple security researchers, including Natan Nehorai and reported by Or Peles from the JFrog Vulnerability Research Team, as well as Richard Ellis and Mike Rhodes from IBM/Cloudant (CouchDB Docs).