Unauthenticated heap buffer overflow in Gorrila codec decompression
CVE-2023-48704

7HIGH

Key Information:

Vendor: ClickHouse
Status: ClickHouse
Vendor: CVE Published:; 22 December 2023

What is CVE-2023-48704?

A heap buffer overflow vulnerability has been identified in ClickHouse, an open-source column-oriented database management system. This flaw resides in the decompression logic of the Gorilla codec, which can be exploited through a specially crafted payload sent to the default native interface on port 9000/tcp. Successfully executing this attack can crash the ClickHouse server process, and importantly, it does not require any form of authentication. This issue has been addressed in several versions of ClickHouse, ensuring improved security for users.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ClickHouse < 23.9.2.47551 < 23.9.2.47551

ClickHouse < 23.10.5.20 < 23.10.5.20

ClickHouse < 23.3.18.15 < 23.3.18.15

References

https://github.com/ClickHouse/ClickHouse/security/advisor...

x_refsource_CONFIRM

https://github.com/ClickHouse/ClickHouse/pull/57107

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 22, 2023
Vulnerability Reserved
Nov 17, 2023

JSON

ClickHouse