Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-22412

Good to know:

icon

Date: March 18, 2024

ClickHouse is an open-source column-oriented database management system. A bug exists in the cloud ClickHouse offering prior to version 24.0.2.54535 and in github.com/clickhouse/clickhouse version 23.1. Query caching bypasses the role based access controls and the policies being enforced on roles. In affected versions, the query cache only respects separate users, however this is not documented and not expected behavior. People relying on ClickHouse roles can have their access control lists bypassed if they are using query caching. Attackers who have control of a role could guess queries and see data they shouldn't have access to. Version 24.1 of ClickHouse and version 24.0.2.54535 of ClickHouse Cloud contain a patch for this issue. Based on the documentation, role based access control should be enforced regardless if query caching is enabled or not.

Language: C++

Severity Score

Related Resources (5)

https://nvd.nist.gov/vuln/detail/CVE-2024-22412
https://github.com/ClickHouse/ClickHouse/pull/58611
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-45h5-f7g3-gr8r
https://github.com/ClickHouse/ClickHouse/blob/bd17ee769e337906c4b1f404861e042ad72fcbfc/src/Interpreters/executeQuery.cpp#L1013-L1015
https://www.mend.io/vulnerability-database/CVE-2024-22412

Severity Score

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

icon

Upgrade Version

Upgrade to version v24.1.1.2048-stable

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): ADJACENT_NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us