Vulnerability Description
ClickHouse is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of Gorilla codec that crashes the ClickHouse server process. This attack does not require authentication. This issue has been addressed in ClickHouse Cloud version 23.9.2.47551 and ClickHouse versions 23.10.5.20, 23.3.18.15, 23.8.8.20, and 23.9.6.20.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Clickhouse | Clickhouse | >= 23.3, < 23.3.18.15 |
| Clickhouse | Clickhouse Cloud | < 23.9.2.47551 |
Related Weaknesses (CWE)
References
- https://github.com/ClickHouse/ClickHouse/pull/57107Patch
- https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63Vendor Advisory
- https://github.com/ClickHouse/ClickHouse/pull/57107Patch
- https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63Vendor Advisory
FAQ
What is CVE-2023-48704?
CVE-2023-48704 is a vulnerability with a CVSS score of 7.0 (HIGH). ClickHouse is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. A...
How severe is CVE-2023-48704?
CVE-2023-48704 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-48704?
Check the references section above for vendor advisories and patch information. Affected products include: Clickhouse Clickhouse, Clickhouse Clickhouse Cloud.