532 matches found
CVE-2021-43305
Heap buffer overflow in ClickHouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopyop, ip, copyend , don't exceed the destination buffer's limits. This iss...
CVE-2021-42391
Divide-by-zero in ClickHouse's Gorilla compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0. JFrog Security Research Team...
DNSMonster - Passive DNS Capture/Monitoring Framework
Passive DNS collection and monitoring built with Golang, Clickhouse and Grafana: dnsmonster implements a packet sniffer for DNS traffic. It can accept traffic from a pcap file, a live interface or a dnstap socket, and can be used to index and store thousands of DNS queries per second it has shown...
CVE-2021-25263
Removed by vendor...
Yandex Browser 安全漏洞
Yandex ClickHouse is a set of open source columnar databases for online analytical processing from the Russian company Yandex. A security vulnerability exists in previous versions of Yandex Clickhouse v20.8.18.32-lts, v21.1.9.41-stable, v21.2.9.41-stable, v21.3.6.55-lts, and v21.4.3.21-stable,...
Adminer < 4.7.8 Server-Side Request Forgery
The version of Adminer installed on the remote host suffers from a Server-Side Request Forgery SSRF flaw via the error page of Elasticsearch and ClickHouse in versions bundling all drivers, this may permit clients to make onward connections to arbitrary systems/ports & can be used to potentially...
GitHub Security Lab: Python: Add support of clickhouse-driver package
This bug was reported directly to GitHub Security Lab...
Fixed in ClickHouse 21.4.3.21, 2021-04-12
An attacker that has CREATE DICTIONARY privilege, can read arbitary file outside permitted directory...
Fixed in ClickHouse 21.4.3.21, 2021-04-12
An attacker that has CREATE DICTIONARY privilege, can read arbitary file outside permitted directory...
PT-2021-6811 · Yandex +1 · Yandex Browser +1
Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to v20.8.18.32-lts ClickHouse versions prior to v21.1.9.41-stable ClickHouse versions prior to v21.2.9.41-stable ClickHouse versions prior to v21.3.6.55-lts ClickHouse versions prior to v21.4.3.21-stable Yandex Brows...
GHSA-VGV5-CXVH-VFXH Arbitrary code execution in clickhouse-driver
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code on a database client via a crafted server response, due to a buffer overflow...
airflow-clickhouse-plugin (>=0.5.1 <=0.5.3), baluchon (=0.0.1) +4 more potentially affected by CVE-2020-26759 via clickhouse-driver (>=0.1.1 <=0.1.4)
clickhouse-driver PYPI version =0.1.1, =0.5.1, =0.0.4, =0.0.31, =2.2.0, =2.3.2 Source cves: CVE-2020-26759 Source advisory: OSV:GHSA-VGV5-CXVH-VFXH...
Arbitrary code execution in clickhouse-driver
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code on a database client via a crafted server response, due to a buffer overflow...
Server-Side Request Forgery (SSRF)
vrana/adminer is vulnerable to server-side request forgery SSRF. An attacker is able submit requests on behalf of the server via the error page of Elasticsearch and ClickHouse...
Mail.ru: [int.ucs.ru] Атаки на внутреннюю сеть UCS через СУБД Clickhouse
Some requests to clickhouse in ucs.ru were externally available potentially allowing SQL-like requests execution...
Arbitrary Code Execution
clickhouse-driver is vulnerable to arbitrary code execution. The vulnerability exists as it was possible to cause buffer overflow by suppling large values on the parameters which were Pyssizet typed...
CVE-2020-26759
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code on a database client via a crafted server response, due to a buffer overflow...
CVE-2020-26759
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code on a database client via a crafted server response, due to a buffer overflow...
DEBIAN-CVE-2020-26759
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code on a database client via a crafted server response, due to a buffer overflow...
airflow-clickhouse-plugin (>=0.5.1 <=0.5.3), baluchon (=0.0.1) +4 more potentially affected by CVE-2020-26759 via clickhouse-driver (>=0.1.1 <=0.1.4)
clickhouse-driver PYPI version =0.1.1, =0.5.1, =0.0.4, =0.0.31, =2.2.0, =2.3.2 Source cves: CVE-2020-26759 Source advisory: OSV:PYSEC-2021-61...