CVE-2023-48298

EUVD-2023-52359
ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. This vulnerability is an integer underflow resulting in crash due to stack buffer overflow in decompression of FPC codec. It can be triggered and exploited by an unauthenticated attacker. The vulnerability is very similar to CVE-2023-47118 with how the vulnerable function can be exploited.
Wrap or Wraparound
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Affected Products (NVD)
VendorProductVersion
clickhouseclickhouse
23.3 ≤
𝑥
≤ 23.3.17.13
clickhouseclickhouse
23.8 ≤
𝑥
≤ 23.8.7.24
clickhouseclickhouse
23.9 ≤
𝑥
≤ 23.9.5.29
clickhouseclickhouse
23.10 ≤
𝑥
≤ 23.10.4.25
clickhouseclickhouse_cloud
23.9 ≤
𝑥
≤ 23.9.2.47475
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
clickhouse
bookworm
18.16.1+ds-7.3
fixed
bullseye
18.16.1+ds-7.2+deb11u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
clickhouse
bionic
ignored
focal
needs-triage
jammy
dne
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
dne
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/ClickHouse/ClickHouse/pull/56795
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
https://github.com/ClickHouse/ClickHouse/pull/56795
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938