
CVE-2018-11769: Apache CouchDB Remote Code Execution ( Versions 1.x and ≤2.1.2) - based2
http://seclists.org/oss-sec/2018/q3/83
======
orf
Pretty sure this commit[1] is related to the fix. I'm guessing perhaps you
could bypass the blacklist of configuration settings you cannot change via
HTTP by adding whitespace to the key?

1\.
[https://github.com/apache/couchdb/commit/2cec527cd183f8b247f...](https://github.com/apache/couchdb/commit/2cec527cd183f8b247f7f4d8ec3fc2e17fbc7f1a)

------
liveoneggs
so the admin user of the database can run commands on the database host with
the permissions of the database user locally

