exploitDog

CVE-2019-15024

Опубликовано: 30 дек. 2019

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.

Ссылки

https://clickhouse.yandex/docs/en/security_changelog/
Vendor Advisory
https://clickhouse.yandex/docs/en/security_changelog/
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*

Версия до 19.14.3 (исключая)

EPSS

Процентиль: 57%

0.00348

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-vv4f-6f99-x599

CVSS3: 6.5

github

больше 3 лет назад

In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.

EPSS

Процентиль: 57%

0.00348

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

NVD-CWE-noinfo