Yandex Clickhouse vulnerabilities
6 known vulnerabilities affecting yandex/clickhouse.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2021-42388HIGHCVSS 8.1≥ unspecified, < 21.10.2.15-stable2022-03-14
CVE-2021-42388 [HIGH] CWE-125 CVE-2021-42388: Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As par
Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the lower bounds of the source of the copy operation.
nvd
CVE-2021-42387HIGHCVSS 8.1≥ unspecified, < 21.10.2.15-stable2022-03-14
CVE-2021-42387 [HIGH] CWE-125 CVE-2021-42387: Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As par
Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the upper bounds of the source of the copy operation.
nvd
CVE-2021-43304HIGHCVSS 8.8≥ unspecified, < 21.10.2.15-stable2022-03-14
CVE-2021-43304 [HIGH] CWE-122 CVE-2021-43304: Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is
Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy(op, ip, copy_end), don’t exceed the destination buffer’s limits.
nvd
CVE-2021-42391MEDIUMCVSS 6.5≥ unspecified, < 21.10.2.15-stable2022-03-14
CVE-2021-42391 [MEDIUM] CWE-369 CVE-2021-42391: Divide-by-zero in Clickhouse's Gorilla compression codec when parsing a malicious query. The first b
Divide-by-zero in Clickhouse's Gorilla compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0.
nvd
CVE-2021-42389MEDIUMCVSS 6.5≥ unspecified, < 21.10.2.15-stable2022-03-14
CVE-2021-42389 [MEDIUM] CWE-369 CVE-2021-42389: Divide-by-zero in Clickhouse's Delta compression codec when parsing a malicious query. The first byt
Divide-by-zero in Clickhouse's Delta compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0.
nvd
CVE-2021-42390MEDIUMCVSS 6.5≥ unspecified, < 21.10.2.15-stable2022-03-14
CVE-2021-42390 [MEDIUM] CWE-369 CVE-2021-42390: Divide-by-zero in Clickhouse's DeltaDouble compression codec when parsing a malicious query. The fir
Divide-by-zero in Clickhouse's DeltaDouble compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0.
nvd