CVE-2020-24719

CRITICAL

Couchbase Server < 6.6.0 - OS Command Injection

Title source: rule

Description

Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie to attach to an Erlang node and run OS level commands on the system running the Erlang node. Affects version: 6.5.1. Fix version: 6.6.0.

Exploits (1)

metasploit WORKING POC GREAT

by Daniel Mende, Milton Valencia (wetw0rk) · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/erlang_cookie_rce.rb

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://www.couchbase.com/resources/security#VulnerabilityReporting

Scores

CVSS v3 9.8

EPSS 0.6267

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

couchbase/couchbase_server 6.5.1 - 6.6.0

Published Nov 12, 2020

Tracked Since Feb 18, 2026