Approved changes feed: RSS · Atom

cpe:2.3:a:couchbase:sync_gateway:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorCouchbase (75b35c19-6384-575a-856c-d68a8fd3e277)
ProductSync Gateway (a533cf93-30ce-57f4-8015-46970260cb3b)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:docker/tleyden5iwx/sync_gateway purl2cpe 2026-06-01 10:17:18.455645
pkg:github/couchbase/sync_gateway purl2cpe 2026-06-01 10:17:18.455649

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-52490 vulnerable 2026-06-08 07:31:11.678515 Details available
An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output.
Published: 2025-07-29T00:00:00.000Z
Updated: 2025-07-29T20:27:03.220Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-32563 vulnerable 2026-06-08 05:44:45.138212 Details available
An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, the admin credentials provided to the Admin REST API are ignored, resulting in privilege escalation for unauthenticated users. The Public REST API is not impacted by this issue. A workaround is to replace X.509 certificate based authentication with Username and Password authentication inside the bootstrap configuration.
Published: 2022-06-10T11:57:58.000Z
Updated: 2024-08-03T07:46:43.590Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-43963 vulnerable 2026-06-08 05:36:44.662281 Details available
An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these credentials to obtain write access. (This issue does not affect clusters where Sync Gateway is authenticated with X.509 client certificates. This issue also does not affect clusters where shared bucket access is not enabled on Sync Gateway.)
Published: 2021-12-07T21:05:13.000Z
Updated: 2024-08-04T04:10:17.137Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-9041 vulnerable 2026-06-08 05:27:20.308430 Details available
In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections.
Published: 2020-06-08T15:21:37.000Z
Updated: 2024-08-04T10:19:19.797Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.