CVE-2021-42388 — Out-of-bounds Read in Clickhouse

CWE-125 — Out-of-bounds Read5 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.3%

top 48.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yandex Clickhouse Clickhouse Debian Clickhouse +1 more

Timeline

PublishedMar 14

Latest updateJul 31

Description

Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the lower bounds of the source of the copy operation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5yandex/clickhouseunspecified — 21.10.2.15-stable

▶debiandebian/clickhouse< clickhouse 18.16.1+ds-7.3 (bookworm)

▶NVDclickhouse/clickhouse< 21.10.2.15

▶Debianclickhouse/clickhouse< 18.16.1+ds-7.2+deb11u1+1

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

GHSA-gg7g-5hm7-ggx5: Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query↗2022-03-16

▶

OSV

CVE-2021-42388: Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query↗2022-03-14

▶

📋Vendor Advisories

Ubuntu

ClickHouse vulnerabilities↗2024-07-31

▶

Debian

CVE-2021-42388: clickhouse - Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a mal...↗2021

▶