Heap buffer overflow in T64 codec decompression
CVE-2023-47118

7HIGH

Key Information:

Vendor: ClickHouse
Status: ClickHouse
Vendor: CVE Published:; 20 December 2023

What is CVE-2023-47118?

A heap buffer overflow vulnerability has been identified in ClickHouse, an open-source column-oriented database management system. This flaw arises from a bug in the decompression logic of the T64 codec, which can be triggered by an attacker sending a specially crafted payload to ClickHouse's native interface (default port 9000/tcp). Notably, this attack does not require any authentication, making it particularly concerning. While the exploit can also be executed via the HTTP protocol, it requires valid credentials due to the authentication step. This vulnerability has been addressed in the following versions: 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts, and 23.3.16.7-lts.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ClickHouse < 23.3.16.7-lts

References

https://github.com/ClickHouse/ClickHouse/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 20, 2023
Vulnerability Reserved
Oct 30, 2023

JSON

ClickHouse