CVE-2024-23689 ClickHouse Client Certificate Password Exposure

2024-01-1921:02:29

CWE-209

VulnCheck

www.cve.org

clickhouse

sensitive information

exceptions

client certificate

unauthorized access

sslkey

exception logs

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.1%

JSON

Exposure of sensitive information in exceptions in ClichHouse’s clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when ‘sslkey’ is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "com.clickhouse:clickhouse-r2dbc",
    "versions": [
      {
        "lessThan": "0.4.6",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "com.clickhouse:clickhouse-jdbc",
    "versions": [
      {
        "lessThan": "0.4.6",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "com.clickhouse:clickhouse-client",
    "versions": [
      {
        "lessThan": "0.4.6",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]