Описание
Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.
Ссылки
- ExploitIssue Tracking
- Issue TrackingPatch
- Release Notes
- Vendor Advisory
- Third Party Advisory
- Third Party Advisory
- ExploitIssue Tracking
- Issue TrackingPatch
- Release Notes
- Vendor Advisory
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.4.6 (исключая)
cpe:2.3:a:clickhouse:java_libraries:*:*:*:*:*:*:*:*
EPSS
Процентиль: 79%
0.0126
Низкий
8.8 High
CVSS3
Дефекты
CWE-209
CWE-209
Связанные уязвимости
CVSS3: 4.8
github
больше 2 лет назад
ClickHouse vulnerable to client certificate password exposure in client exception
EPSS
Процентиль: 79%
0.0126
Низкий
8.8 High
CVSS3
Дефекты
CWE-209
CWE-209