Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveVulnCheckCVE-2024-23689
HistoryJan 19, 2024 - 9:15 p.m.

CVE-2024-23689

2024-01-1921:15:10
CWE-209
VulnCheck
web.nvd.nist.gov
21
clichhouse
clickhouse-r2dbc
clickhouse-jdbc
clickhouse-client
sensitive information exposure
unauthorized access
exception logs
cve-2024-23689
nvd
security vulnerability.

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

32.1%

JSON

Exposure of sensitive information in exceptions in ClichHouse’s clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when ‘sslkey’ is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.

Affected configurations

Nvd
Node
clickhousejava_librariesRange<0.4.6
VendorProductVersionCPE
clickhousejava_libraries*cpe:2.3:a:clickhouse:java_libraries:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "com.clickhouse:clickhouse-r2dbc",
    "versions": [
      {
        "lessThan": "0.4.6",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "com.clickhouse:clickhouse-jdbc",
    "versions": [
      {
        "lessThan": "0.4.6",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "com.clickhouse:clickhouse-client",
    "versions": [
      {
        "lessThan": "0.4.6",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]

Related

github 1
osv 3
nvd 1
veracode 1
prion 1
cvelist 1
github
github
Exposure of sensitive information in ClickHouse
2024-01-19 21:30:36
osv
osv
CVE-2024-23689
2024-01-19 21:15:10
Exposure of sensitive information in ClickHouse
2024-01-19 21:30:36
ClickHouse vulnerable to client certificate password exposure in client exception
2023-05-12 20:18:51
nvd
nvd
CVE-2024-23689
2024-01-19 21:15:10
veracode
veracode
Sensitive Information Disclosure
2024-01-22 12:19:29
prion
prion
Code injection
2024-01-19 21:15:00
cvelist
cvelist
CVE-2024-23689 ClickHouse Client Certificate Password Exposure
2024-01-19 21:02:29

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

32.1%

JSON
Related for CVE-2024-23689
github1osv3nvd1veracode1prion1cvelist1