Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy_amount>(op, ip, copy_end), don’t exceed the destination buffer’s limits.
References
Link | Resource |
---|---|
https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms | Exploit Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/11/msg00002.html | Mailing List Third Party Advisory |
Configurations
History
08 Dec 2022, 03:16
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00002.html - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
First Time |
Debian
Debian debian Linux |
04 Nov 2022, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Mar 2022, 15:02
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.8 |
First Time |
Yandex clickhouse
Yandex |
|
CPE | cpe:2.3:a:yandex:clickhouse:*:*:*:*:*:*:*:* | |
References | (MISC) https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms - Exploit, Third Party Advisory | |
CWE | CWE-787 |
14 Mar 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-03-14 23:15
Updated : 2023-12-10 14:22
NVD link : CVE-2021-43304
Mitre link : CVE-2021-43304
CVE.ORG link : CVE-2021-43304
JSON object : View
Products Affected
debian
- debian_linux
yandex
- clickhouse