QwikSec

Security Database

CVE

CWE

Training

CVE-2021-42387

Published: Mar 14, 2022

Modified: Aug 4, 2024

PUBLISHED

Description

Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the upper bounds of the source of the copy operation.

Vendor	Product	Versions
yandex	clickhouse	affected `unspecified - < 21.10.2.15-stable`

Weaknesses (CWE)

References

https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms

[debian-lts-announce] 20221104 [SECURITY] [DLA 3176-1] clickhouse security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.