Bug in ClickHouse Query Caching Bypasses Role-Based Access Controls
CVE-2024-22412

2.4LOW

Key Information:

Vendor

Clickhouse

Status
Clickhouse
Vendor
CVE Published:
18 March 2024

What is CVE-2024-22412?

An issue exists in the open-source ClickHouse database that allows unauthorized users to bypass role-based access controls through its query caching mechanism. In specific versions, the query cache only honors separate user contexts, which is an unexpected behavior not documented by ClickHouse. This flaw means that users with access to a role might exploit the query cache to execute certain queries and view sensitive data they should not have permission to access. Users relying on role-based access control for data security are particularly at risk. Updates in version 24.1 of ClickHouse and version 24.0.2.54535 of ClickHouse Cloud include patches to mitigate this vulnerability, ensuring that role-based access policies are enforced irrespective of query caching settings.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ClickHouse = 23.1 = 23.1

ClickHouse < 24.0.2.54535 < 24.0.2.54535

References

https://github.com/ClickHouse/ClickHouse/security/advisor...
x_refsource_CONFIRM
https://github.com/ClickHouse/ClickHouse/pull/58611
x_refsource_MISC
https://github.com/ClickHouse/ClickHouse/blob/bd17ee769e3...
x_refsource_MISC

CVSS V3.1

Score:
2.4
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.