qazbnm456 · xkey10x · Jan 4, 2022 · Jan 4, 2022 · Jan 4, 2022
diff --git a/CVE-2017-12635.md b/CVE-2017-12635.md
@@ -0,0 +1,17 @@
+# CVE-2017-12635
+
+- Report: Nov 14, 2017
+- Credit: Max Justicz
+
+## PoC
+
+- [CVE-2017-12635](https://github.com/assalielmehdi/CVE-2017-12635.git)
+
+## Reference
+
+- [Apache Docs-Security Issues](https://docs.couchdb.org/en/stable/cve/2017-12635.html)
+- [National Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2017-12635)
+- [CVE-Details](https://www.cvedetails.com/cve/CVE-2017-12635/)
+- [ExploitDB](https://www.exploit-db.com/exploits/44498)
+- [Write up by Max Justicz](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html)
+- [Apache CouchDB 1.6 Documentation](https://docs.couchdb.org/en/1.6.1/)
diff --git a/README.md b/README.md
@@ -397,6 +397,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
 - [CVE-2017-12611](#cve-2017-12611)
 - [CVE-2017-12615](#cve-2017-12615)
 - [CVE-2017-12617](#cve-2017-12617)
+- [CVE-2017-12635](#cve-2017-12635)
 - [CVE-2017-13089](#cve-2017-13089)
 - [CVE-2017-13156](#cve-2017-13156)
 - [CVE-2017-13253](#cve-2017-13253)
@@ -2357,6 +2358,10 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
 
 - When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
 
+### [CVE-2017-12635](https://github.com/assalielmehdi/CVE-2017-12635.git)
+
+- In Apache CouchDB before 1.7.0 and 2.x before 2.1.1, due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit \_users documents with duplicate keys for 'roles' used for access control within the database, including the special case '\_admin' role, that denotes administrative users. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges. 
+
 ### [CVE-2017-13089](https://paper.seebug.org/525/)
 
 - The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.