CVE-2023-47118 — Heap-based Buffer Overflow in Clickhouse

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write6 documents3 sources

Severity

9.8CRITICALNVD

NVD7.5

EPSS

0.4%

top 40.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Clickhouse Clickhouse Cloud Debian Clickhouse

Timeline

PublishedDec 20

Latest updateDec 21

Description

ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of T64 codec that crashes the ClickHouse server process. This attack does not require authentication. Note that this exploit can also be trigger…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDclickhouse/clickhouse23.3 — 23.3.16.7+7

▶NVDclickhouse/clickhouse_cloud23.9 — 23.9.2.47475+1

▶CVEListV5clickhouse/clickhouse23.10.2.14

▶debiandebian/clickhouse

🔴Vulnerability Details

OSV

CVE-2023-48298: ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time↗2023-12-21

▶

OSV

CVE-2023-47118: ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time↗2023-12-20

▶

📋Vendor Advisories

Debian

CVE-2023-48298: clickhouse - ClickHouse® is an open-source column-oriented database management system that al...↗2023

▶

Debian

CVE-2023-47118: clickhouse - ClickHouse® is an open-source column-oriented database management system that al...↗2023

▶