QwikSec

Security Database

CVE

CWE

Training

CVE-2021-43304

Published: Mar 14, 2022

Modified: Aug 4, 2024

PUBLISHED

Description

Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopy<copy_amount>(op, ip, copy_end), don’t exceed the destination buffer’s limits.

Vendor	Product	Versions
yandex	clickhouse	affected `unspecified - < 21.10.2.15-stable`

Weaknesses (CWE)

References

https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms

[debian-lts-announce] 20221104 [SECURITY] [DLA 3176-1] clickhouse security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.