CVE-2024-37034: 
Couchbase vulnerability analysis and mitigation

An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1, where credentials are not properly negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure. This vulnerability is tracked as CVE-2024-37034 and was disclosed in July 2024 (NVD, Couchbase Alert).

The vulnerability stems from a security flaw where the SDK negotiates with SCRAM-SHA by default when remote link encryption is configured for Half-Secure mode. This configuration allows for potential Man-in-the-Middle (MITM) attacks to negotiate for PLAIN credentials. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could allow an attacker to perform Man-in-the-Middle attacks to negotiate for PLAIN credentials, potentially compromising the confidentiality of authentication credentials. This affects the security of communication between clients and the Key-Value service in Couchbase Server deployments (Couchbase Alert).

The vulnerability has been fixed in Couchbase Server versions 7.6.1 and 7.2.5. Users are advised to upgrade to these patched versions to mitigate the security risk (Couchbase Alert).