CVE-2024-6873

It is possible to crash or redirect the execution flow of the ClickHouse server process from an unauthenticated vector by sending a specially crafted request to the ClickHouse server native interface. This redirection is limited to what is available within a 256-byte range of memory at the time of execution, and no known remote code execution (RCE) code has been produced or exploited.

Fixes have been merged to all currently supported version of ClickHouse.If you are maintaining your own forked version of ClickHouse or using an older version and cannot upgrade, the fix for this vulnerability can be found in this commit https://github.com/ClickHouse/ClickHouse/pull/64024 .
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
ClickHouseCNA
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Debian logo
Debian Releases
Debian Product
Codename
clickhouse
bullseye
18.16.1+ds-7.2+deb11u1
fixed
bookworm
18.16.1+ds-7.3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
clickhouse
plucky
dne
oracular
dne
noble
needs-triage
jammy
dne
focal
needs-triage
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-432f-r822-j66f