cvedb.io
CVE-2022-31022
MEDIUM · CVSS 6.2
EPSS exploitation probability: 0%
Published 2022-06-01T20:15:08.037 · Last modified 2026-06-17T04:44:37.473

Summary

Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBA

Affected products

couchbase — bleve

Does this affect you?

Add your gear to cvedb and we'll alert you only when couchbase ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.