Fedora 30 : rsyslog (2019-1fb95ae48d)

rebase to upstream version 8.1911.0 ------------------------------------------------- new modules available : - ClickHouse output - generic REST API http output - docker API input - misc. external program input takes output of specified binary as log source Note that Tenable Network Security has...

Fedora 31 : rsyslog (2019-ea7d5876a4)

rebase to upstream version 8.1911.0 ------------------------------------------------- new modules available : - ClickHouse output - generic REST API http output - docker API input - misc. external program input takes output of specified binary as log source Note that Tenable Network Security has...

PT-2019-14693 · Yandex +1 · Clickhouse +1

Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.14 Description: The issue concerns an out-of-bounds OOB read, OOB write, and integer underflow in decompression algorithms. This can be exploited to achieve remote code execution RCE or cause a denial of servic...

PT-2019-13937 · Yandex +1 · Clickhouse +1

Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.14.3 Description: The issue allows an attacker with write access to ZooKeeper and the ability to run a custom server on the network where ClickHouse runs to create a malicious server acting as a ClickHouse...

ClickHouse HTTP header injection vulnerability

ClickHouse is a columnar open source database management system that allows real-time generation of reports on analyzed data. A security vulnerability exists in ClickHouse versions prior to 19.13.5.44. The vulnerability can be exploited to conduct HTTP header injection attacks via the url table...

CVE-2019-18657

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function...

CVE-2019-18657

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function...

Design/Logic Flaw

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function...

CVE-2019-18657

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function...

CVE-2019-18657

Summary : CVE-2019-18657 affects ClickHouse prior to 19.13.5.44, where the HTTP header injection flaw can be triggered via the url table function. The vulnerability’s root cause is unsafe handling of HTTP headers in the url table function, enabling an attacker to inject arbitrary headers in reque...

PT-2019-15559 · Alt Linux Team +2 · Alt Linux +1

Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.13.5.44 ALT Linux affected versions not specified Description: The issue allows HTTP header injection via the url table function. There is also a mention of a vulnerability in the ALT Linux package, but details...

Fixed in ClickHouse Release 19.13.6.1, 2019-09-20 

Table function url had the vulnerability allowed the attacker to inject arbitrary HTTP headers in the request...

Fixed in ClickHouse Release 19.13.6.1, 2019-09-20​

Table function url had the vulnerability allowed the attacker to inject arbitrary HTTP headers in the request...

Fixed in ClickHouse Release 19.14.3.3, 2019-09-10​

Аn attacker that has write access to ZooKeeper and who can run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the...

Fixed in ClickHouse Release 19.14.3.3, 2019-09-10 

Аn attacker that has write access to ZooKeeper and who can run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the...

CVE-2019-15024

Аn attacker that has write access to ZooKeeper and who can run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the...

CVE-2018-14670

Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database...

CVE-2018-14669

ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server...

CVE-2018-14668

In ClickHouse before 1.1.54388, "remote" table function allowed arbitrary symbols in "user", "password" and "defaultdatabase" fields which led to Cross Protocol Request Forgery Attacks...

CVE-2018-14670

Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database...