Description
In all versions of ClickHouse before 19.14, an OOB read, OOB write and integer underflow in decompression algorithms can be used to achieve RCE or DoS via native protocol.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://clickhouse.yandex/docs/en/security_changelog/
Scores
CVSS v3
9.8
EPSS
0.0132
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-125
CWE-191
CWE-787
Status
published
Products (1)
clickhouse/clickhouse
< 19.14
Published
Dec 30, 2019
Tracked Since
Feb 18, 2026