Lucene search

[email protected]NVD:CVE-2023-48704

HistoryDec 22, 2023 - 4:15 p.m.

CVE-2023-48704

2023-12-2216:15:08

CWE-122

CWE-787

CWE-120

[email protected]

web.nvd.nist.gov

clickhouse

server

heap buffer overflow

cve-2023-48704

security issue

gorilla codec

decompression logic

clickhouse cloud

clickhouse versions

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.0%

JSON

ClickHouse is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of Gorilla codec that crashes the ClickHouse server process. This attack does not require authentication. This issue has been addressed in ClickHouse Cloud version 23.9.2.47551 and ClickHouse versions 23.10.5.20, 23.3.18.15, 23.8.8.20, and 23.9.6.20.

Affected configurations

NVD

Node

clickhouseclickhouseRange23.3–23.3.18.15

clickhouseclickhouseRange23.8–23.8.8.20

clickhouseclickhouseRange23.9–23.9.6.20

clickhouseclickhouseRange23.10–23.10.5.20

clickhouseclickhouse_cloudRange<23.9.2.47551

References

github.com/ClickHouse/ClickHouse/pull/57107

github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for NVD:CVE-2023-48704

ubuntucve1 cve1 prion1 cvelist1 debiancve1