Unauthorized File Write Vulnerability in ClickHouse from Yandex
CVE-2019-15024

6.5MEDIUM

Key Information:

Vendor: Yandex
Status: Clickhouse
Vendor: CVE Published:; 30 December 2019

What is CVE-2019-15024?

The vulnerability allows an attacker with write access to ZooKeeper to run a malicious server that masquerades as a ClickHouse replica. This malicious server can register itself in ZooKeeper, leading other replicas to fetch data from it. Consequently, this enables the attacker to command the clickhouse-server to write data to arbitrary file system paths, potentially compromising the integrity of the server and the data it manages.

Affected Version(s)

ClickHouse All versions prior to version 19.14.3.

References

https://clickhouse.yandex/docs/en/security_changelog/

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 30, 2019
Vulnerability Reserved
Aug 13, 2019

JSON