Heap Buffer Overflow in Clickhouse's LZ4 Compression Codec
CVE-2021-43305

8.8HIGH

Key Information:

Vendor: Yandex
Status: Clickhouse
Vendor: CVE Published:; 14 March 2022

What is CVE-2021-43305?

A vulnerability exists in Clickhouse's LZ4 compression codec that may allow an attacker to exploit a heap buffer overflow when processing maliciously crafted queries. Due to the absence of checks on the size of data being copied in the decompress operation, it could lead to potential data corruption or unexpected behavior, similar to other known vulnerabilities in the same family. Organizations using Clickhouse should ensure they implement the necessary security updates to protect against this exploit.

Affected Version(s)

clickhouse < 21.10.2.15-stable

References

https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-foun...

https://lists.debian.org/debian-lts-announce/2022/11/msg0...

mailing-list

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 14, 2022
Vulnerability Reserved
Nov 3, 2021

JSON

Yandex

What is CVE-2021-43305?

Affected Version(s)

References

CVSS V3.1

Timeline