CVE-2023-48704

Published: Dic 22, 2023 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2023-52744 Aliases: GSD-2023-48704

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,0

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: low

Availability: high

Description

AI Translation Available

ClickHouse is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of Gorilla codec that crashes the ClickHouse server process. This attack does not require authentication. This issue has been addressed in ClickHouse Cloud version 23.9.2.47551 and ClickHouse versions 23.10.5.20, 23.3.18.15, 23.8.8.20, and 23.9.6.20.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0036

Percentile

0,6th

Updated

EPSS Score Trend (Last 90 Days)

120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability

Potential Impacts:

Modify Memory Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu)

Applicable Platforms

Languages: Assembly, C, C++, Memory-Unsafe

Likelihood of Exploit: High

View CWE Details

122

Heap-based Buffer Overflow

Draft

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Integrity Confidentiality Access Control Other

Potential Impacts:

Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Execute Unauthorized Code Or Commands Bypass Protection Mechanism Modify Memory Other

Applicable Platforms

Languages: C, C++, Memory-Unsafe

Likelihood of Exploit: High

View CWE Details

787

Out-of-bounds Write

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Availability Other

Potential Impacts:

Modify Memory Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Unexpected State

Applicable Platforms

Languages: Assembly, C, C++, Memory-Unsafe

Technologies: ICS/OT

Likelihood of Exploit: High

View CWE Details

Application

Clickhouse by Clickhouse

Product Information

Vendor Clickhouse

Product Clickhouse

Version Range Affected

From 23.10 (inclusive)

To 23.10.5.20 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Clickhouse by Clickhouse

Product Information

Vendor Clickhouse

Product Clickhouse

Version Range Affected

From 23.9 (inclusive)

To 23.9.6.20 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Clickhouse Cloud by Clickhouse

Product Information

Vendor Clickhouse

Product Clickhouse Cloud

Version Range Affected

To 23.9.2.47551 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:clickhouse:clickhouse_cloud:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Clickhouse by Clickhouse

Product Information

Vendor Clickhouse

Product Clickhouse

Version Range Affected

From 23.3 (inclusive)

To 23.3.18.15 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Clickhouse by Clickhouse

Product Information

Vendor Clickhouse

Product Clickhouse

Version Range Affected

From 23.8 (inclusive)

To 23.8.8.20 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/ClickHouse/ClickHouse/pull/57107

Patch

https://github.com/ClickHouse/ClickHouse/pull/57107

https://github.com/ClickHouse/ClickHouse/security/advisorie…

Vendor Advisory

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63

https://github.com/ClickHouse/ClickHouse/pull/57107

Patch

https://github.com/ClickHouse/ClickHouse/pull/57107

https://github.com/ClickHouse/ClickHouse/security/advisorie…

Vendor Advisory

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63

CVE-2023-48704

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Common Consequences

Applicable Platforms

Heap-based Buffer Overflow

Common Consequences

Applicable Platforms

Out-of-bounds Write

Common Consequences

Applicable Platforms

Clickhouse by Clickhouse

Product Information

Clickhouse by Clickhouse

Product Information

Clickhouse Cloud by Clickhouse

Product Information

Clickhouse by Clickhouse

Product Information

Clickhouse by Clickhouse

Product Information

Iscriviti alla newsletter