CVE-2019-15024Clickhouse vulnerability

2 documents2 sources
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 38.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Clickhouse
Timeline
PublishedDec 30
Latest updateMay 24

Description

In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDclickhouse/clickhouse< 19.14.3
CVEListV5clickhouse/clickhouseAll versions prior to version 19.14.3.

🔴Vulnerability Details

1
GHSA
GHSA-vv4f-6f99-x599: In all versions of ClickHouse before 192022-05-24