A misconfigured couchdb instance of AnyFile was exposed.
Insights
An instance of couchdb data was accessible through endpoints on a non-published IP address. Due to misconfiguration of the base couchdb image, the instance did not require authentication for programmatic access.
The server has been correctly configured and no longer allows access. A full sweep of the infrastructure showed that this was the only server affected by this.
The internally used ip address was not published on any documentation or website. Only the api was exposed, the Fauxton frontend to couchdb required authentication.
Mitigation Actions Taken
- Rehash all public facing indices
- Enable hightened security options at (our uploading partner)
- Disable all ip-based access to infrastructure
- Upgrade software versions of infrastructure
AnyFile takes security matters seriously and this issue was fixed as soon as possible after it was reported.
