CVE-2019-15024

Published: Dic 30, 2019 Last Modified: Giu 25, 2025 EU-VD ID: EUVD-2019-6111 Aliases: GSD-2019-15024
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: none
MEDIUM 4,0
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: single
Confidentiality: none
Integrity: partial
Availability: none

Description

AI Translation Available

In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0035
Percentile
0,6th
Updated

EPSS Score Trend (Last 90 Days)

Application

Clickhouse by Clickhouse

Product Information
Vendor Clickhouse
Product Clickhouse
Version Range Affected
To 19.14.3 (exclusive)
cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://clickhouse.yandex/docs/en/security_changelog/
Vendor Advisory
https://clickhouse.yandex/docs/en/security_changelog/
https://clickhouse.yandex/docs/en/security_changelog/
Vendor Advisory
https://clickhouse.yandex/docs/en/security_changelog/