It is possible to crash or redirect the execution flow of the ClickHouse server process from an unauthenticated vector by sending a specially crafted request to the ClickHouse server native interface. This redirection is limited to what is available within a 256-byte range of memory at the time of execution, and no known remote code execution (RCE) code has been produced or exploited.
Fixes have been merged to all currently supported version of ClickHouse. If you are maintaining your own forked version of ClickHouse or using an older version and cannot upgrade, the fix for this vulnerability can be found in this commit https://github.com/ClickHouse/ClickHouse/pull/64024 .
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: ClickHouse
Published: 2024-08-01T15:57:25.304Z
Updated: 2024-08-02T15:18:28.271Z
Reserved: 2024-07-18T03:24:47.800Z
Link: CVE-2024-6873
Vulnrichment
Updated: 2024-08-02T15:18:21.987Z
NVD
Status : Awaiting Analysis
Published: 2024-08-01T16:15:07.187
Modified: 2024-08-01T16:45:25.400
Link: CVE-2024-6873
Redhat
No data.