16.5. CVE-2012-5649: JSONP arbitrary code execution with Adobe Flash¶
| Date: | 14.01.2013 |
|---|---|
| Affected: | Releases up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable, if administrators have enabled JSONP. |
| Severity: | Moderate |
| Vendor: | The Apache Software Foundation |
16.5.1. Description¶
A hand-crafted JSONP callback and response can be used to run arbitrary code inside client-side browsers via Adobe Flash.
16.5.2. Mitigation¶
Upgrade to a supported CouchDB release that includes this fix, such as:
All listed releases have included a specific fix.
16.5.3. Work-Around¶
Disable JSONP or don’t enable it since it’s disabled by default.