Description
An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://www.couchbase.com/resources/security#SecurityAlerts
Scores
CVSS v3
5.3
EPSS
0.0029
EPSS Percentile
52.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-532
Status
published
Products (2)
couchbase/couchbase_server
6.0.0
couchbase/couchbase_server
5.5.0 - 5.5.3
Published
Sep 10, 2019
Tracked Since
Feb 18, 2026