{"id":"CVE-2020-1955","details":"CouchDB version 3.0.0 shipped with a new configuration setting that governs access control to the entire database server called `require_valid_user_except_for_up`. It was meant as an extension to the long standing setting `require_valid_user`, which in turn requires that any and all requests to CouchDB will have to be made with valid credentials, effectively forbidding any anonymous requests. The new `require_valid_user_except_for_up` is an off-by-default setting that was meant to allow requiring valid credentials for all endpoints except for the `/_up` endpoint. However, the implementation of this made an error that lead to not enforcing credentials on any endpoint, when enabled. CouchDB versions 3.0.1[1] and 3.1.0[2] fix this issue.","aliases":["BIT-couchdb-2020-1955"],"modified":"2026-04-10T04:18:46.103408Z","published":"2020-05-20T14:15:11.550Z","references":[{"type":"ADVISORY","url":"https://docs.couchdb.org/en/master/cve/2020-1955.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/couchdb","events":[{"introduced":"0"},{"last_affected":"03a77db6ca41ab48a198f36c1dfab48d18ade624"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.0.0"}]}}],"versions":["2.0.0-RC1","2.0.0-RC3","2.0.0-RC4","2.1.0","2.1.0-RC1","2.2.0-RC1","2.3.0","2.3.0-RC1","2.3.1-last","3.0.0","3.0.0-RC1","3.0.0-RC2","3.0.0-RC3","fauxton"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1955.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}