CVE-2024-22412 — Incorrect Authorization in Clickhouse

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.1%

top 71.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Clickhouse Clickhouse Cloud Debian Clickhouse

Timeline

PublishedMar 18

Description

ClickHouse is an open-source column-oriented database management system. A bug exists in the cloud ClickHouse offering prior to version 24.0.2.54535 and in github.com/clickhouse/clickhouse version 23.1. Query caching bypasses the role based access controls and the policies being enforced on roles. In affected versions, the query cache only respects separate users, however this is not documented and not expected behavior. People relying on ClickHouse roles can have their access control lists bypa…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

▶NVDclickhouse/clickhouse_cloud< 24.0.2.54535

▶CVEListV5clickhouse/clickhouse< 24.0.2.54535+1

▶NVDclickhouse/clickhouse23.3.0.0 — 23.3.22.3+3

▶debiandebian/clickhouse

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-22412: ClickHouse is an open-source column-oriented database management system↗2024-03-18

▶

📋Vendor Advisories

Debian

CVE-2024-22412: clickhouse - ClickHouse is an open-source column-oriented database management system. A bug e...↗2024

▶