PT-2019-13937 · Yandex +1 · Clickhouse +1

Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.14.3 Description: The issue allows an attacker with write access to ZooKeeper and the ability to run a custom server on the network where ClickHouse runs to create a malicious server acting as a ClickHouse...

ClickHouse HTTP header injection vulnerability

ClickHouse is a columnar open source database management system that allows real-time generation of reports on analyzed data. A security vulnerability exists in ClickHouse versions prior to 19.13.5.44. The vulnerability can be exploited to conduct HTTP header injection attacks via the url table...

CVE-2019-18657

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function...

CVE-2019-18657

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function...

Design/Logic Flaw

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function...

CVE-2019-18657

Summary : CVE-2019-18657 affects ClickHouse prior to 19.13.5.44, where the HTTP header injection flaw can be triggered via the url table function. The vulnerability’s root cause is unsafe handling of HTTP headers in the url table function, enabling an attacker to inject arbitrary headers in reque...

CVE-2019-18657

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function...

PT-2019-15559 · Alt Linux Team +2 · Alt Linux +1

Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.13.5.44 ALT Linux affected versions not specified Description: The issue allows HTTP header injection via the url table function. There is also a mention of a vulnerability in the ALT Linux package, but details...

Fixed in ClickHouse Release 19.13.6.1, 2019-09-20​

Table function url had the vulnerability allowed the attacker to inject arbitrary HTTP headers in the request...

Fixed in ClickHouse Release 19.13.6.1, 2019-09-20 

Table function url had the vulnerability allowed the attacker to inject arbitrary HTTP headers in the request...

Fixed in ClickHouse Release 19.14.3.3, 2019-09-10 

Аn attacker that has write access to ZooKeeper and who can run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the...

Fixed in ClickHouse Release 19.14.3.3, 2019-09-10​

Аn attacker that has write access to ZooKeeper and who can run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the...

CVE-2019-15024

Аn attacker that has write access to ZooKeeper and who can run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the...

CVE-2018-14669

ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server...

CVE-2018-14670

Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database...

CVE-2018-14672

In ClickHouse before 18.12.13, functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages...

CVE-2018-14671

In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability...

CVE-2018-14668

In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "defaultdatabase" fields which led to Cross Protocol Request Forgery Attacks...

CVE-2018-14670

Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database...

CVE-2018-14671

In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability...