CVE-2023-47118

2023-12-2017:15:08

CWE-787

CWE-122

[email protected]

web.nvd.nist.gov

clickhouse

cve-2023-47118

open-source

database

management system

heap buffer overflow

security

vulnerability

remote attack

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.6%

JSON

ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of T64 codec that crashes the ClickHouse server process. This attack does not require authentication. Note that this exploit can also be triggered via HTTP protocol, however, the attacker will need a valid credential as the HTTP authentication take places first. This issue has been fixed in version 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and 23.3.16.7-lts.

Affected configurations

Vulners

NVD

Node

clickhouseclickhouseRange<23.3.16.7-lts

VendorProductVersionCPE
clickhouseclickhouse*cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
clickhouse	clickhouse	*	cpe:2.3:a:clickhouse:clickhouse::::::::

CNA Affected

[
  {
    "vendor": "ClickHouse",
    "product": "ClickHouse",
    "versions": [
      {
        "version": "< 23.3.16.7-lts",
        "status": "affected"
      }
    ]
  }
]