Vulnerability principle:
the Apache CouchDB is an open source database, focusing on ease of use and become a "fully embrace the web database." It is a use as a storage format JSON, JavaScript as a query language, MapReduce and HTTP as NoSQL database API. A wide range of applications, such as BBC with its dynamic content display platform, market framework with Credit Suisse in its internal commodity sectors, Meebo, with its social platform (web and applications).
In November 15, 2017, CVE-2017-12635 and CVE-2017-12636 disclose, CVE-2017-12635 is due to different Erlang and JavaScript JSON parsing mode, resulting in a difference of statement execution caused. This loophole allows any user to create administrator privileges belong vertical bypass vulnerability.
Vulnerability reproduction:
capture packets sent after the contents 
returned 403 error, sends a packet containing two roles field, you can bypass the restrictions 
successfully created an administrator account passwords are vulhub
again visit http: // your-ip: 5984 / _utils /, enter the account password nnn, you can log in successfully: