53 matches found
CVE-2022-44011
An issue was discovered in ClickHouse before 22.9.1.2603. An authenticated user with the ability to load data could cause a heap buffer overflow and crash the server by inserting a malformed CapnProto object. The fixed versions are 22.9.1.2603, 22.8.2.11, 22.7.4.16, 22.6.6.16, and 22.3.12.19...
ClickHouse Security Breach
ClickHouse is ClickHouse's fastest and most resource-efficient open source database for real-time applications and analytics. A security vulnerability exists in versions prior to ClickHouse 22.9.1.2603. An attacker exploited the vulnerability to cause the server to crash...
CVE-2022-44010
An issue was discovered in ClickHouse before 22.9.1.2603. An attacker could send a crafted HTTP request to the HTTP Endpoint usually listening on port 8123 by default, causing a heap-based buffer overflow that crashes the process. This does not require authentication. The fixed versions are...
GHSA-G8PH-74M6-8M7R ClickHouse vulnerable to client certificate password exposure in client exception
Summary As initially reported in issue 1331, when client certificate authentication is enabled with password protection, the password referred to as the client option sslkey may be exposed in client exceptions e.g., ClickHouseException or SQLException. This vulnerability can potentially lead to...
PT-2021-23611 · Unknown +2 · Clickhouse +1
Name of the Vulnerable Software and Affected Versions: Clickhouse affected versions not specified Description: The issue is related to a divide-by-zero error in Clickhouse's Delta compression codec. This error occurs when parsing a malicious query, where the first byte of the compressed buffer is...
PT-2021-23610 · Unknown +4 · Clickhouse +3
Name of the Vulnerable Software and Affected Versions: ClickHouse affected versions not specified Description: A heap out-of-bounds read issue exists in ClickHouse's LZ4 compression codec when parsing a malicious query. The LZ4::decompressImpl loop reads a 16-bit unsigned user-supplied value offs...
PT-2021-23612 · Unknown +2 · Clickhouse +1
Name of the Vulnerable Software and Affected Versions: Clickhouse affected versions not specified Description: The issue is related to a divide-by-zero error in Clickhouse's DeltaDouble compression codec. This occurs when parsing a malicious query, where the first byte of the compressed buffer is...
CVE-2021-42389
Divide-by-zero in ClickHouse's Delta compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0. JFrog Security Research Team...
PT-2019-14693 · Yandex +1 · Clickhouse +1
Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.14 Description: The issue concerns an out-of-bounds OOB read, OOB write, and integer underflow in decompression algorithms. This can be exploited to achieve remote code execution RCE or cause a denial of servic...
PT-2019-13937 · Yandex +1 · Clickhouse +1
Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.14.3 Description: The issue allows an attacker with write access to ZooKeeper and the ability to run a custom server on the network where ClickHouse runs to create a malicious server acting as a ClickHouse...
PT-2019-15559 · Alt Linux Team +2 · Alt Linux +1
Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.13.5.44 ALT Linux affected versions not specified Description: The issue allows HTTP header injection via the url table function. There is also a mention of a vulnerability in the ALT Linux package, but details...
CVE-2018-14671
In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability...
PT-2019-9043 · Yandex · Clickhouse
Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 18.12.13 Description: The issue allows path traversal and reading of arbitrary files through error messages in functions for loading CatBoost models. Recommendations: For versions prior to 18.12.13, update to...